Tag: security

Announced at 6pm on Friday, NAB have confirmed that the personal details of 13,000 customers have been uploaded, by human error, to not one, but TWO, 3rd party data services. It’s believed the breach has been contained at the data providers and no information has further leaked.

Re-iterated in a video from NAB’s Chief Data Officer, Glenda Crisp, the breach was not a cyber-security issue and resulted in someone mistakenly putting data where they shouldn’t.

The remainder of the video and statement is largely NAB saying they’ve looked into it, they assure you it wont happen again, yadda, yadda. We all know that’s a load of crap and the same join that sent 60,000 emails to a scamming domain squatter are likely to have this repeat.

Regardless, for those affected this time around, NAB have promised to contact each customer individually by either phone, email or mail.

Of course NAB are saying the 6pm Friday release of this information was in line with their internal timelines of dealing with the issue. It obviously wouldn’t have anything at all to do with the fact late Friday news is buried by sport and weekend guff now would it. Dogs.

Source: NAB apologises to customers for data breach | NAB News

Sensitive personal information on more than 198 million voters in the United States was stored unencrypted and with no access controls in the cloud, potentially creating one of the largest data leaks ever.

Measuring 1.1TB, the information was stored in an unprotected Amazon Simple Storage Service (S3) bucket as spreadsheet files.

Looks like no one needed to “hack” anything to affect the elections, it was all just sitting there waiting to be taken!

Source: Trump campaign data firms leak info on 200m US voters – Security – iTnews

Netgear’s Arlo security system is the company’s first foray into a rapidly growing DIY home security market. Comprised of the usual feature set we’ve come to expect of such systems like night vision and motion detection Arlo takes things a step further by introducing wireless HD cameras. Each camera streams a 720p image and has a 110 degree field of view. They’re also completely weather proof and can operate solidly up to 25m from the Arlo base station.

IMG_7489
Continue reading

If you’ve got a Synology NAS open to the Internet (i.e: so you can access your files away from home via the Internet), disable that feature and make sure your firewall totally blocks the NAS from talking to the Internet. There’s a nasty bit of ransomware going around targeting Synology NAS units – it encrypts the volumes on the NAS and makes you pay the attacker via Bitcoin in order to get the encryption passphrase to access your files again.

AgileBits blog:

1Password 4 for Android is now rolling out for phones and tablets. It is a brand new app and should be available in Google Play soon as soon as Google’s servers update!

This is a fully operational, add-and-edit-all-your-items-able, one-tap Login-able new version of 1Password that has been rebuilt from the first line of code to the last icon.

A huge, huge update over their last Android app. It looks fantastic too.

They’re also doing something quite interesting with the price — going for a free, read-only app (which is unlocked for now):

1Password 4 for Android is a free app, and through August 1, 2014, all features are unlocked and free for everyone to try. After that, it will switch to being a reader client for your vault, a perfect companion for syncing your data with 1Password for Mac and PC.

If you want all editing features of 1Password 4 for Android after August 1, you can unlock them with a one-time in-app purchase. We’re still figuring out what that price is going to be, but we’ll have details soon!

Generally 1Password has always been a little more expensive and Apple device-oriented than their competition. With this update, they look to be addressing both of those issues at once. Very cool.

Also, I really hope this in-app purchase experiment is a success, and carries over into iOS. I certainly think it would encourage more people to try 1Password.

After this, there’s only one big-ticket item left on their update docket: 1Password for Windows.

The Guardian:

The company has broken its silence on government surveillance in order to push back against the increasingly widespread use of phone and broadband networks to spy on citizens, and will publish its first Law Enforcement Disclosure Report on Friday . At 40,000 words, it is the most comprehensive survey yet of how governments monitor the conversations and whereabouts of their people.

Vodafone is basically admitting that the government installed links directly into their core networks which gave the governments the ability to grab whatever info they wanted on Vodafone’s customers, without a warrant or even notifying Vodafone. Vodafone didn’t even know what was going on because the staff enlisted to do this work by the government, who may be Vodafone employees, were not allowed to tell Vodafone. I guess they had their suspicions, but now Vodafone is going public with what they know (within the law, I guess?).

It’s not surprising Vodafone is part of the dragnet though – every other telco is too. Telstra are basically a clearing house for ASIO/DSD/Five Eyes. Good on Vodafone for being one of the first (if not the first?) telco to publicly admit to it and go “hey, look, this is what we’ve been doing, we didn’t like it but we had to”. I wonder if there will be any info about Vodafone’s Australian operations in this report?

Troy Hunt (of haveibeenpwned.com) on his personal blog:

I’ve been speaking to a bunch of people about this over the last couple of days about this attack so I thought I’d collate some info on how it works, what we know and what the possible sources of the attack may be.

An excellent summary of the iCloud hijacks, how they’ve been implemented, and smart analysis of where they could have originated from.

Troy is fast becoming one of my favourite writers on the topic of online security.

For the record, Apple responded yesterday stating iCloud was not compromised during these incidents.

PayPal:

Later today, eBay Inc. will be asking all eBay users to change their passwords due to a cyber attack that compromised an eBay database containing encrypted eBay passwords and other non-financial information. eBay will notify its user base directly within the next 24 hours with more details.

Why did eBay announce this via their PayPal Media page and not the eBay media page?
Why is this not on the eBay home page or in My eBay?
Why are they waiting to tell customers when they have had enough time to put up a press release?
Why doesn’t eBay have 2-factor authentication?

iTnews:

Registrants must tell the police their total number of connections, customers and size of their geographic coverage, and ensure that law enforcement agencies have access to customer data and connections when needed. As part of the new law – which requires the country’s main signals intelligence agency, the Government Communications Security Bureau (GCSB) to play a prime role in network and systems security – providers are now dutybound to notify the state about any design and procurement decisions before implementation, according to government guidance.

If you’re operating any sort of telecommunications company in NZ, you need to inform the government before you buy any new gear, so they can vet it and I assume, make sure they’re able to intercept any data and access customer info at their leisure. The people that check over it? GCSB – part of the Five Eyes surveillance group. Nice. How long until Senator Brandis gets jealous of NZ and this happens in Australia too?