FACEBOOK: The Untouchables: You Can’t Sue General Mills if You “Like” Their Products on Facebook

http://www.nytimes.com/2014/04/17/business/when-liking-a-brand-online-voids-the-right-to-sue.html?_r=1

General Mills, the maker of cereals like Cheerios and Chex as well as brands like Bisquick and Betty Crocker, has quietly added language to its website to alert consumers that they give up their right to sue the company if they download coupons, “join” it in online communities like Facebook, enter a company-sponsored sweepstakes or contest or interact with it in a variety of other ways.

If you “like” one of their products on Facebook or download coupons from them, their new terms of use state that you can no longer take them to court for any reason. Here is the new clause, straight from the horses…ahem…mouth.

General Mills, the maker of cereals like Cheerios and Chex as well as brands like Bisquick and Betty Crocker, has quietly added language to its website to alert consumers that they give up their right to sue the company if they download coupons, “join” it in online communities like Facebook, enter a company-sponsored sweepstakes or contest or interact with it in a variety of other ways.

Instead, anyone who has received anything that could be construed as a benefit and who then has a dispute with the company over its products will have to use informal negotiation via email or go through arbitration to seek relief, according to the new terms posted on its site. (source)

 

http://www.nutritionalanarchy.com/2014/04/18/the-untouchables-you-cant-sue-general-mills-if-you-like-their-products-on-facebook/

Might downloading a 50-cent coupon for Cheerios cost you legal rights?

If so, I hope you didn’t “like” them on Facebook.

General Mills has taken “CYA” (Cover Your A**) to an entirely new level.

This is morally and legally wrong.

BRUTEFORCE HACKING – Bruteforce Calculator – A Visual Guide

http://calc.opensecurityresearch.com/

Wonder why hackers use dictionaries that are precompiled?

Select the password length (8 or 10 characters)

 

Select the hashing algorithm, MD5, SHA1, Kerberos.

Select if number or a mix of alpha numeric.

Then get time.

****

If you are going to compile your own wordlist, use small data sets, compile 8 characters, then compile a file for 9 characters.

It is feasible to crack a password of 8 characters, it probably isn’t feasible to crack a password of 18 characters.

Use Graphics cards rather than your CPU for cracking.  GPU’s are much faster.

What to do next…

KALI – How to crack passwords using Hashcat – The Visual Guide

https://uwnthesis.wordpress.com/2013/08/07/kali-how-to-crack-passwords-using-hashcat/

Claim: “The NSA is Out of Control!”

Published on Apr 16, 2014

Back in early September, 2013, Matthew Green, a computer science professor in cryptography at JHU, tweeted on his blog that the NSA was engaged in efforts “to break encryption” on private servers and was doing so on a big scale. His post was flagged and Green was told by the school to remove the post. Later, the school’s decision to impose its heavy-handed censorship measure was reversed.

On Tuesday evening, April 15, 2014, on the campus of Johns Hopkins U., a public forum featuring three panel members was held to discuss the above matter and the issue of “collaboration” between the NSA & JHU, and other universities. The event was sponsored by the students’ “Human Rights Working Group” and the “New Political Society.” The first speaker was Christopher Soghoain, a representative of the ACLU. Mr. Soghoain, a graduate of JHU, who is experienced in the field of surveillance cases, claimed: “We have an intelligence agency [NSA] that is out of control! This is an agency that is collecting information about law-abiding Americans who’ve done nothing wrong…” Professor Green recounted his JHU-related blog/censorship experience from last year. He also underscored his concern that the “NSA has been inside ‘Google’s Data Centers’ collecting data.” An attorney and expert on Constitutional Law, Shahid Buttar, was the third panel member. He is the Exec. Dir. of the “Bill of Rights Defense Committee.” Buttar traced the history of government-sanctioned spying and warned that the NSA’s egregious conduct has currently reached Orwellian proportions and is a serious threat to “Freedom of Thought!”

 

Tax dodgers beware: Taxman could be watching your social media

http://www.cnet.com/news/tax-dodgers-beware-irs-could-be-watching-your-social-media/

The IRS is said to be data mining Facebook, Instagram, Twitter, and other sites for info that could come handy in audits.

Facebook, Instagram, and Twitter have all become places where people post intimate details about their lives: vacation photos, work successes, buying a new house, car, or other cool stuff.  However, this information is also up for grabs by the Internal Revenue Service.

In its quest to find and audit tax dodgers, the IRS is said to use online activity trackers to sift through the mass amounts of data available on the Internet, according to Marketplace. This data is then added to the information the agency already has on people, such as Social Security numbers, health records, banking statements, and property.

“It seems they may be using predictive analytics,” University of Pennsylvania’s Annenberg School of Communication Professor Joseph Turow told Marketplace. “That takes a huge amount of data and puts it together in a big pot to see if they can predict which individuals don’t pay their taxes.”

Last year, it was revealed that the IRS was claiming the right to read taxpayers’ email and private information on social media accounts without first getting a search warrant. After a brouhaha from civil liberties groups, citizens, and lawmakers, the IRS announced the no-warrant-required policy would be ditched for email, but it did not make the same commitment for other private electronic communications.

ANDROID – Heartbleed makes 50m Android phones vulnerable, data shows

http://www.theguardian.com/technology/2014/apr/15/heartbleed-android-phones-vulnerable-data-shows

Devices running Android 4.1.1 could be exploited by ‘reverse Heartbleed’ to yield user data – including 4m in US alone

At least 4m Android smartphones in the US, and tens of millions worldwide, could be exploited by a version of the “Heartbleed” security flaw, data provided to the Guardian shows.

Worldwide, the figure could be 50m devices, based on Google’s own announcement that any device running a specific variant of its “Jelly Bean” software – Android 4.1.1, released in July 2012 – is vulnerable.

The figure, calculated using data provided exclusively by the analytics firm Chitika, is the first time an accurate estimate has been put on the number of vulnerable devices. Other estimates have suggested it is hundreds of millions, based on the number of devices running versions of Android 4.1. But most of those run 4.1.2, which is not at risk.

Google has not disclosed how many devices are vulnerable, although it has indicated that the figure is “less than 10%” of devices activated worldwide.

But that could be a huge number, given that Google has activated 900m Android devices worldwide. There are also hundreds of millions of handsets in China running Android without Google services, which would not show up on its systems, and which are also likely to be running vulnerable versions.

The figure on the number of vulnerable devices comes from an analysis for the Guardian by the ad network Chitika of US network traffic. Looking at web traffic for the seven-day period between 7 April and 13 April, “Android 4.1.1 users generated 19% of total North American Android 4.1 Web traffic, with users of version 4.1.2 generating an 81% share. Web traffic from devices running Android 4.1.0 made up less than 0.1% of the Android 4.1 total observed, so we did not include for the purposes of clarity,” said Andrew Waber, a Chitika representative.

Based on Comscore data which suggests there are 85m Android smartphones in use in the US, that means that there are at least 4m handsets which are vulnerable.

The devices would be vulnerable to a hack described as “reverse Heartbleed” – where a malicious server would be able to exploit the flaw in OpenSSL to grab data from the phone’s browser, which could include information about part sessions and logins.

The NSA’s Heartbleed problem is the problem with the NSA – Guardian

http://www.theguardian.com/commentisfree/2014/apr/12/the-nsas-heartbleed-problem-is-the-problem-with-the-nsa

What the agency’s denial isn’t telling you: it didn’t even need know about the bug to vacuum your privacy and store it indefinitely

The American intelligence community is forcefully denying reports that the National Security Agency has long known about the Heartbleed bug, a catastrophic vulnerability inside one of the most widely-used encryption protocols upon which we rely every day to secure our web communications. But the denial itself serves as a reminder that NSA’s two fundamental missions – one defensive, one offensive – are fundamentally incompatible, and that they can’t both be handled credibly by the same government agency.

In case you’ve spent the past week under a rock, Heartbleed is the name security researchers have given to a subtle but serious bug in OpenSSL, a popular version of the Transport Layer Security (TLS) protocol – successor to the earlier Secure Sockets Layer (SSL) – that safeguards Internet traffic from prying eyes. When you log in to your online banking account or webmail service, the little lock icon that appears in your browser means SSL/TLS is scrambling the data to keep aspiring eavesdroppers away from your personal information. But an update to OpenSSL rolled out over two years ago contained a bug that would allow a hacker to trick sites into leaking information – including not only user passwords, but the master encryption keys used to secure all the site’s traffic and verify that you’re actually connected to MyBank.com rather than an impostor.

It’s exactly the kind of bug you’d expect NSA to be on the lookout for, since documents leaked by Edward Snowden confirm that the agency has long been engaged in an “aggressive, multi-pronged effort to break widely used Internet encryption technologies”. In fact, that effort appears to have yielded a major breakthrough against SSL/TLS way back in 2010, two years before the Heartbleed bug was introduced – a revelation that sparked a flurry of speculation among encryption experts, who wondered what hidden flaw the agency had found in the protocol so essential to the Internet’s security.

On Friday, Bloomberg News reported that Heartbleed had indeed been added to NSA’s arsenal almost immediately after the bug appeared, citing two anonymous sources “familiar with the matter”. Within hours, the intelligence community’s issued an unusually straightforward denial, free from the weasely language intelligence officials sometimes employ to almost-but-not-quite deny allegations. As the statement pointed out, the federal government itself “relies on OpenSSL to protect the privacy of users of government websites and other online services.” If NSA had found such a serious security hole, the agency would have disclosed it, officials asserted. Moreover, the White House has recently “reinvigorated” the “Vulnerabilities Equities Process” designed to ensure that newly-discovered exploits aren’t kept secret any longer than is absolutely necessary for vital intelligence purposes.

As Indiana University cybersecurity expert Fred Cate points out, however, the intelligence community’s track record of misleading statements about its capabilities means even such a seemingly unambiguous denial has been greeted with some skepticism. And even if we take that denial at face value when it comes to Heartbleed, reports of NSA’s 2010 “breakthrough” suggest they may be sitting on other, still-undisclosed vulnerabilities.

Here, however, is the really crucial point to recognize: NSA doesn’t need to have known about Heartbleed all along to take advantage of it.

The agency’s recently-disclosed minimization procedures permit “retention of all communications that are enciphered.” In other words, when NSA encounters encryption it can’t crack, it’s allowed to – and apparently does – vacuum up all that scrambled traffic and store it indefinitely, in hopes of finding a way to break into it months or years in the future. As security experts recently confirmed, Heartbleed can be used to steal a site’s master encryption keys – keys that would suddenly enable anyone with a huge database of encrypted traffic to unlock it, at least for the vast majority of sites that don’t practice what’s known as “forward security”, regularly generating new keys as a safeguard against retroactive exposure.

If NSA moved quickly enough – as dedicated spies are supposed to – the agency could have exploited the bug to steal those keys before most sites got around to fixing the bug, gaining access to a vast treasure trove of stored traffic.

That creates a huge dilemma for private sector security experts. Normally, when they discover a vulnerability of this magnitude, they want to give their colleagues a discreet heads-up before going public, ensuring that the techies at major sites have a few days to patch the hole before the whole world learns about it.

The geeks at NSA’s massive Information Assurance Directorate – the part of the agency tasked with protecting secrets and improving security – very much want to be in that loop. But they’re part of an organization that’s also dedicated to stealing secrets and breaking security. And security companies have been burned by cooperation with NSA before: the influential firm RSA trusted the agency to help them improve one of their popular security tools, only to discover via another set of Snowden documents that the spies had schemed to weaken the software instead.

Giving NSA advance warning of Heartbleed could help the agency protect all those government systems that were relying on OpenSSL to protect user data – but it also would aid them in exploiting the bug to compromise privacy and security on a massive scale in the window before the fix was widely deployed.

Little wonder, then, that the President’s Review Group on Intelligence and Communications Technologies – informally known as the Surveillance Review Group – dedicated a large section of its recent report, Liberty and Security in a Changing World, to this basic tension. “NSA now has multiple missions and mandates, some of which are blurred, inherently conflicting, or both,” the Review Group wrote. “Fundamentally NSA is and should be a foreign intelligence organization” rather than “an information assurance organization.”

Because Internet security depends on trust and cooperation between researchers, the mission of a security-breaking agency is fundamentally incompatible with that of a security-protecting agency. It’s time to spin off NSA’s “defense” division from the “offense” team. It’s time to create an organization that’s fully devoted to safeguarding the security of Internet users – even if that might make life harder for government hackers.

RT: NSA knew about Heartbleed for two years – Bloomberg

http://rt.com/usa/nsa-knew-heartbleed-hacking-years-004/

The critical “Heartbleed” bug reported earlier this week to have affected the security of most of the internet was discovered by researchers at the United States National Security Agency two years earlier, according to a new report.

On Friday afternoon, Bloomberg News journalist Michael Riley reported that the NSA knew about the monstrous flaw for at least two years ahead of this week’s announcement, but kept it hidden from technologists and instead exploited it to hack the computers and correspondence of certain intelligence targets.

Earlier in the week, the open-source OpenSSL internet security project issued an emergency advisory after discovery of the Heartbleed bug revealed a weakness that may have for years allowed hackers to access online information otherwise thought to be protected by the SSL/TLS encryption standard used by around two-thirds of the web.

But according to sources that Riley says are familiar with the matter, the NSA kept details of the bug a secret shortly after first discovering it in early 2012 so that it could be added to the agency’s toolbox of exploits and hacks.

“The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks,” Riley wrote.

“Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost,” he added. “Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.”

Shortly after Bloomberg published their report, agency spokeswoman Vanee Vines told the National Journal that the NSA “was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report.”

“Reports that say otherwise are wrong,” she said, dismissing Riley’s report.

In December, a five-person review group handpicked by US President Barack Obama to reassess the NSA’s intelligence gathering abilities said that the government must not stockpile details about any so-called “zero day” vulnerabilities, or flaws unknown to computer programs who have thus had “zero days” to patch them.

“In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection,” the group told the president. “Eliminating the vulnerabilities — “patching” them — strengthens the security of US Government, critical infrastructure, and other computer systems.”

“We recommend that, when an urgent and significant national security priority can be addressed by the use of a Zero Day, an agency of the US Government may be authorized to use temporarily a Zero Day instead of immediately fixing the underlying vulnerability.”

Pres. Obama has since asked Congress to adhere to one of that group’s recommendations — halting the government’s bulk collection of telephony metadata — but has not publically spoken of zero days before or after this week’s discovery of Heartbleed.

Previously, however, journalists and privacy advocates working with the trove of classified NSA documents disclosed last year by former contractor Edward Snowden said that the secretive intelligence agency had been undermining the very security of the internet by exploiting other flaws to hack targets.

At a security conference in December, expert Jacob Appelbaum from Germany’s Der Spiegel magazine said that the NSA had acquired the means to compromise any Apple iPhone in the world and occasionally relied on a number of high-tech tools and implants to hack targets.

“Basically the NSA, they want to be able to spy on you. And if they have ten different options for spying on you that you know about, they have 13 ways of doing it and they do all 13. So that’s a pretty scary thing,”said Appelbaum, who previously spoke on behalf of WikiLeaks at a US conference and is a core member of the Tor anonymity project.

 

NSA Said to Exploit Heartbleed Bug for Intelligence for Years – Bloomberg

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

Photographer: Brooks Kraft/Corbis

Security personnel outside the National Threat Operations Center at the National… Read More

Controversial Practice

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

World’s Biggest Data Breaches Selected losses greater than 30,000 records

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Beautiful graphics regarding the worlds greatest data breaches.

NHS has a mere 8.3 million.

NSA: German Chancellor Angela Merkel Denied Access to her NSA file

http://www.newsforage.com/2014/04/german-chancellor-angela-merkel-denied.html

US spy bosses have ignored a request from Chancellor Angela Merkel to look at her secret service file, according to reports on Wednesday. It came as the chairman of the committee investigating NSA spying in Germany resigned.

Germany’s interior ministry reportedly approached the United States’ National Security Agency (NSA) last October to ask for the file’s content, amid revelations the NSA had been tapping the chancellor’s mobile phone.

But in a written response to parliamentary questions from the Green Party, the German government said: “The United States has not revealed the relevant information to the German government.”

Green Party foreign policy spokesman Omid Nouripour wanted to know whether the chancellor had requested access to the documents produced by the NSA while they were spying on her phone, whether the US government has revealed details about the transcripts and whether Merkel was considering pushing for the files to be destroyed.  

The German government did not respond to the question of whether it had asked for the files to be destroyed, but it had received no answer for its request to see the file, the Sächsische Zeitung reported on Wednesday.

And in an interview with Spiegel magazine this week interior minister Thomas de Maizière said the information provided by the United States “is to this day insufficient”.

Former NSA contractor Edward Snowden revealed in October that the NSA had been tapping Merkel’s mobile phone.

“If two-thirds of that which Edward Snowden claims or that which is attributed to him as a source were to be true, then I would come to the conclusion that the United States is operating without limits,” de Maizière said in the interview.

****

Wouldn’t you have liked to be a fly on the wall when the NSA received that request?