We are proud to have access to the finest team members & discreet qualified persons who pride themselves in obtaining results for our clients where others fail. More »
Scientific apparatus & technical staff allow us to get sensitive & usefull information by utilizing the latest technology in getting information for our clients.The storage, use & availability of this data is done with great care More »
In these days of world wide communications being at a peak of efficiency, the task of passing on & receiving information in the blink of an eye becomes possible between our team members & the network we have access to More »
Donna-Lee is here at her graduation law degree ceremony proudly supported by her mother Karen, her sister Sharah-Lee & father Henry More »
- ABS: Give us your name on census night, it’ll be safe
- Peter Martin: ABS endangers the census by asking for names
Find out why no one will be knocking at your door with census forms this year.
Australian statistician David Kalisch told Fairfax Media the Bureau had been keeping the names it collected for up to 18 months.
“They’ve done it under the guise of: ‘this is while we are processing the data’,” he said.
“They’ve done linkages, they’ve done other things. What’s happening now is we are being more transparent about it.”
The studies have been conducted despite a commitment on the ABS website that “name and address information will be destroyed once statistical processing has been completed“.
They used the names and addresses on census forms to link the census answers to department of immigration records, to school enrolment records and to the Australian Early Development Index.
The names were destroyed only after the records were linked.
Separately, and without asking for consent, the Bureau has been tracking five per cent of the population (more than one million people) through what it calls the Australian Census Longitudinal Dataset.
It has been using the names on the forms to create “linkage keys”, which enable it to follow respondents over time. Each census, the same name produces the same linkage key, enabling movements to be tracked. Once each key has been created, the name itself has been destroyed. It is impossible to reverse-engineer a key to derive the name.
“In 2016, I have decided to keep names and addresses for longer,” Mr Kalisch writes in today’s Sydney Morning Herald and Age. “This will enable the ABS to produce statistics on important economic and social areas such as educational outcomes, and measuring outcomes for migrants.”
Labelled by former Australian Statistician Bill McLennan “the most significant invasion of privacy ever perpetrated on Australians by the ABS,” the decision will formalise what was happening informally before Mr Kalisch joined the ABS in 2014. It will extend the period for research using names from 18 months to four years. All names collected will be deleted by August 2020 or when studies have been completed, whichever is the soonest.
What’s happening now is we are being more transparent about it.
Australian Statistician David Kalisch
The decision is a retreat on a announcement in December that names and addresses on census forms would be retained indefinitely.
“There are extremely robust safeguards in place to protect the privacy and confidentiality of the information collected in the census, including names and addresses,” Mr Kalisch writes in today’s Fairfax Media publications. “The ABS never has and never will release identifiable census data.”
Kat Lane, vice-chair of the Australian Privacy Foundation, said the real issue wasn’t the ABS security system. It was that there was no justification for tracking or personally identifying Australians.
The critical flaw gives an attacker ‘full control’ of all connected devices
Security researchers are warning Dell security management software admins to patch their systems after finding six high-risk vulnerabilities.
One of the highest-rated “critical” flaws involves a hidden default account with an easily-guessable password in Dell’s Sonicwall Global Management System (GMS), a widely-used software used to centrally monitor and manage an enterprise’s array of networked security devices.
The vulnerability could allow an attacker “full control” of the software and all connected appliances, such as virtual private networking (VPN) appliances and firewalls.
The flaws were detailed in an advisory posted by researchers at Digital Defense, a Texas-based firm that has a commercial stake in the vulnerability scanning business.
However, there’s no evidence to suggest the flaws have been actively exploited by attackers, the researchers said.
Dell acknowledged the flaws affect the most recent versions of the GMS software — versions 8.0 and 8.1 — and issued patches. In a security advisory, the company said it “highly recommends” that admins install the hotfix, available from its support pages.
A Dell spokesperson was unavailable for comment.
The recently-defunct IT company was once the third-largest music and video file sharing service in the US.
User accounts for iMesh, a now defunct file sharing service, are for sale on the dark web.
The New York-based music and video sharing company was a peer-to-peer service, which rose to fame in the file sharing era of the early-2000s, riding the waves of the aftermath of the “dotcom” boom. After the Recording Industry Association of America (RIAA) sued the company in 2003 for encouraging copyright infringement, the company was given status as the first “approved” peer-to-peer service.
At its peak in 2009, the service became the third-largest service in the US. But last month, iMesh unexpectedly shut down after more than a decade in business.
LeakedSource, a breach notification site that allows users to see if their details have been leaked, has obtained the database.
The group’s analysis of the database shows it contains a little over 51 million accounts.
The database, of which a portion was shared with ZDNet for verification, contains user information that dates back to late-2005 when the site launched, including email addresses, passwords (which were hashed and salted with MD5, an algorithm that nowadays is easy to crack), usernames, a user’s location and IP address, registration date, and other information — such as if the account is disabled, or if the account has inbox messages.
LeakedSource said in a blog post that iMesh was likely breached in September 2013, based on the most recent records in the database.
In a message on Saturday, one of the group members said that “someone obviously hacked” the site, but did not speculate on who was responsible. “Who knows who really did it,” the person said.
For its part, the company’s chief operating officer Roi Zemmer said in an email that the company “is not aware of any hacks” and “is currently using state of the art technology to protect users’ info.”
After repeated requests, Zemmer did not confirm whether or not a sample of the database we sent him, which was provided by LeakedSource, was valid. Zemmer did not outright deny that the company had been hacked.
Attempts to follow up with Zemmer over the weekend went unanswered.
Given that the service is no longer operational, it’s difficult to verify the data. We reached out by email to a number of those who most recently to joined the service (which were listed in the breach) for confirmation, but we didn’t immediately hear back over the weekend. (We will update the story if that changes.)
What made the verification process more challenging is what appeared to be a considerable drop in user numbers in the site’s later years, based on LeakedSource’s analysis of the data. The service reached a peak of 9.4 million new users in 2009, but its growth had slowed to just 2.5 million new users by 2013 when the hack is said to have been carried out.
As many as 13 million accounts are from the US, with millions more from the UK and Europe.
The data is now up for sale on the dark web.
The hacker and seller who goes by the name “Peace,” who made a name for himself selling stolen data from Fling, LinkedIn, Badoo, and VK.com, also obtained a copy of the database — now thought to be in wide circulation among the hacker community.
In an encrypted chat, Peace confirmed that he is now selling the database on a dark web marketplace for 1 bitcoin, or about $590 at the time of writing.
The hacker has links to the MySpace, LinkedIn, & Tumblr “mega breaches.”
A hacker, who has links to the recent MySpace, LinkedIn, and Tumblr data breaches, is claiming another major tech scalp — this time, it’s said to be millions of Twitter accounts.
A Russian seller, who goes by the name Tessa88, claimed in an encrypted chat on Tuesday to have obtained the database, which includes email addresses (and sometimes two per person), usernames, and plain-text passwords.
Tessa88 is selling the cache for 10 bitcoins, or about $5,820 at the time of writing.
The seller said they obtained 379 million accounts as early as 2015. That would be far more than its 310 million monthly active users, but could account for cumulative accounts, such as inactive users.
An analysis of the database by LeakedSource, a breach notification site which received the database from the seller on Wednesday, showed there are in fact over 32 million purported accounts in the database, after duplicates were removed.
LeakedSource said in a blog post that it was unlikely that Twitter was breached, and pointed to malware as the culprit.
“The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” the blog post said.
The group said it was able to verify the passwords associated with 15 users. LeakedSource shared a portion of the database with me. Two colleagues whose email addresses were in the database were able to verify their password. A third colleague said they had not used the email address found in the database to join Twitter.
LeakedSource said that the passwords were likely “stolen directly from consumers, therefore they are in plaintext with no encryption or hashing.” The groups said it did not believe that Twitter stored data in plain-text at the time the data was taken, thought to be around 2014.
“These credentials however are real and valid,” said the group. “The lesson here? It’s not just companies that can be hacked, users need to be careful too.”
As we’ve seen in recent data breaches, the most common password was “123456,” with the third and fourth password being “qwerty” and “password” respectively.
A Twitter spokesperson said in prepared statement: “We are confident that these usernames and credentials were not obtained by a Twitter data breach — our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”
In a recent tweet, the company also said that it periodically checks its data against recent password leaks to ensure that accounts stay secure.
Given the high-profile Twitter account takeovers in recent days — which included Facebook co-founder Mark Zuckerberg — it would be an easy assumption to make that Twitter had been hacked.
But Zuckerberg’s account was not in the database obtained by LeakedSource, the blog post said.
The hackers who took over Zuckerberg’s account said at the time they acquired his “dadada” password from the LinkedIn breach.
When asked, a LinkedIn spokesperson declined to comment, pointed to a recently-updated company blog post, but ruled out any new breach, and advised users to change any re-used passwords on other sites.
Almost all organisations are vulnerable to hackers due to lack of cyber security staff or tools, report states.
Four out of five businesses lack the required infrastructure or security professionals with relevant skills to spot and defend against incoming cyberattacks.
According to a new report by US cybersecurity and privacy think tank Ponemon Institute on behalf of cybersecurity firm BrandProtect, 79 percent of cybersecurity professionals say that their organisations are struggling to monitor the internet for the external threats posed by hackers and cybercriminals.
Just 17 percent of respondents say that they have any sort of formal process in place for intelligence gathering which is applied across the whole company.
The report found that 38 percent of organisations don’t have any policy on threat intelligence gathering at all, while 23 percent have an approach that is ‘ad hoc’ at best. A further 18 percent say they do have a formal process in place, but it isn’t applied across the entire enterprise.
The Ponemon Institute claimed that businesses are on average experiencing more than one external cyberattack a month, with these repeated security breaches resulting in an annual average cost of around $3.5m.
But while many companies are failing to properly monitor external threats, the majority do recognise that they should be carrying out activities such as monitoring mobile apps, looking out for social engineering and phishing attempts, and keeping an eye on cyber threats – around 60 percent of respondents listed these activities as essential or very important to their business.
So why aren’t more organisations actively pursuing these leads in the interests of protecting themselves against hacks and data breaches? The study reported that there’s an insufficient awareness of risk across whole organisation.
Half of respondents suggested that this was one of the main barriers to achieving effective cybersecurity, while almost as many described a lack of knowledgeable staff and a lack of tools as barriers to this goal – echoing previous reports of a severe lack of cybersecurity professionals and understanding of the risks caused by poor defences.
An anonymous hacker grabbed usernames, email addresses, then salted and hashed passwords.
The company that builds Ubuntu, a popular Linux distribution, has said its forums were hacked Thursday.
Canonical, which develops the operating system, said in a statement on Friday that two million usernames, email addresses, and IP addresses associated with the Ubuntu Forums were taken by an unnamed attacker
The attacker was able to exploit an SQL injection vulnerability in an add-on used by older vBulletin forum software.
That gave the attacker access to the forum’s databases, but the company said that only limited user data was accessed and downloaded.
The statement stressed that no code or repository data was accessed, and the attacker couldn’t write data to the database or gain shell access. The attacker also didn’t gain access to any other Canonical or Ubuntu service.
Since the breach, the servers were wiped, rebuilt, and hardened, passwords were changed, and the forum software was fully patched.
The statement added that although the forums relied on Ubuntu’s single sign-on service, the passwords were hashed and salted, turning them into randomized strings of data. But the statement did not say which hashing algorithm was used — some algorithms, like MD5, are still in use but are deprecated, as they can be easily cracked.
A spokesperson for the company did not immediately respond to a question about the hashing algorithm.
UNDER wraps for 13 years, the US has released once-top secret pages from a congressional report into 9/11 that questioned whether Saudis who were in contact with the hijackers after they arrived in the US knew what they were planning.
The newly declassified document, with light redactions, names people the hijackers associated with before they carried out the attacks, killing nearly 3000 people in New York, Washington and on a plane that crashed in Pennsylvania. It identifies individuals who helped the hijackers get apartments, open bank accounts, attend local mosques and get flight lessons. Fifteen of the 19 hijackers were Saudi nationals and several were not fluent in English and had little experience living in the West.
Later investigations found no evidence that the Saudi government or senior Saudi officials knowingly supported those who orchestrated the attacks. But politicians and relatives of victims, who don’t think all Saudi links to the attackers were thoroughly investigated, campaigned for more than 13 years to get the final chapter of the 2002 congressional inquiry released.
Saudi Arabia has called for the release of the chapter since 2002 so the kingdom could respond to any allegations and punish any Saudis who may have been involved in the attacks.
“Since 2002, the 9/11 Commission and several government agencies, including the CIA and the FBI, have investigated the contents of the ‘28 pages’ and have confirmed that neither the Saudi government, nor senior Saudi officials, nor any person acting on behalf of the Saudi government provided any support or encouragement for these attacks,” Abdullah Al-Saud, Saudi Arabia’s ambassador to the United States, said in a statement. “We hope the release of these pages will clear up, once and for all, any lingering questions or suspicions about Saudi Arabia’s actions, intentions, or long-term friendship with the United States.”
“Saudi Arabia is working closely with the United States and other allies to eradicate terrorism and destroy terrorist organisations,” he said.
FAmerican Airlines Flight 175 closes in on World Trade Center Tower 2 in New York, just before impact. Picture: AP
House intelligence committee Chairman Devin Nunes said that while he supported the release, “it’s important to note that this section does not put forward vetted conclusions, but rather unverified leads that were later fully investigated by the intelligence community.”
However, others — including Former Florida Senator Bob Graham, the co-chairman of the congressional inquiry — believe the hijackers had an extensive Saudi support system while they were in the United States.
Mr Graham has said that the pages “point a very strong finger at Saudi Arabia as being the principle financier.”
Former US President George W. Bush classified the chapter to protect intelligence sources and methods, although he also probably did not want to upset US relations with Saudi Arabia, a close US ally.
Two years ago, under pressure from the families of those killed or injured on September 11, and others, US President Barack Obama ordered a declassification review of the chapter.
Director of National Intelligence James Clapper conducted that declassification review and transmitted the document to Congress, which released the pages online a day after Congress recessed ahead of the national political conventions.
Several investigations into 9/11 followed the congressional inquiry, which released its report — minus the secret chapter — in December 2002. The most well-known investigation was done by the 9/11 Commission, led by Republican. Tom Kean and Democrat Lee Hamilton.
Mr Kean and Mr Hamilton said the 28 pages were based almost entirely on raw, unvetted material that came to the FBI. They said the material was then written up in FBI files as possible leads for further investigation.
They said the commission and its staff spent 18 months investigating “all the leads contained in the 28 pages, and many more.”
The commission’s 567-page report, released in July 2004, stated that it found “no evidence that the Saudi government as an institution or senior Saudi officials individually funded” al-Qaeda. “This conclusion does not exclude the likelihood that charities with significant Saudi government sponsorship diverted funds to al-Qaeda.”
Some critics of the commission’s work say the commission failed to run down every Saudi lead and say various agencies obstructed its work. Mr Kean and Mr Hamilton also complained that various government agencies withheld relevant information.
Saudi minister says 9/11 report exonerates kingdom
Qualcomm is working on a fix, but it might not be possible
Android’s full disk encryption can be broken with brute force and some patience — and there might not be a full fix available for today’s handsets.
This week, Security researcher Gal Beniamini revealed in a detailed step-by-step guide how it is possible to strip away the encryption protections on smartphones powered by Qualcomm Snapdragon processors, which means millions of mobile devices could be vulnerable to attack.
Android’s Full Disk Encryption (FDE), first implemented in Android 5.0, randomly generates a 128-bit master key and 128-bit salt to protect user data. The master key, also known as the Device Encryption Key (DEK), is protected by encryption based on the user’s credentials, whether this is a PIN, password, or touchscreen pattern.
The now-encrypted DEK is then stored on the device.
In order to prevent successful brute-force attacks against this process, Android introduced delays between decryption attempts and data wipes after a number of failed attempts (in the same way as Apple). To prevent off-device, brute-force attacks, the key is bound to the device’s hardware — and this is where a security flaw in Qualcomm systems has caused a problem.
The binding is performed through Android’s Hardware-Backed Keystore, called KeyMaster. The module runs in a Trusted Execution Environment (TEE), which is considered the “secure world”, while the Android OS is considered the “non-secure world”.
The reasoning behind that is KeyMaster can be used to generate encryption keys and perform cryptographic functions without revealing this information in the main operating system
Once keys are generated, they are encrypted and returned to the main OS, and when operations require these keys, an encrypted block of data — the “key blob” — must be provided to KeyMaster. The key blob contains a 2,048-bit RSA key that runs inside a secure portion of the device’s processor and is required for cryptographic processes.
“Since this is all done without ever revealing the cryptographic keys used to protect the key blobs to the non-secure world, this means that all cryptographic operations performed using key blobs must be handled by the KeyMaster module, directly on the device itself,” the researcher says.
However, KeyMaster’s implementation is down to the hardware vendor. Qualcomm’s version runs in the Snapdragon TrustZone, which is meant to protect sensitive functions, such as biometric scanning and encryption, but Beniamini found it is possible to exploit an Android security hole to extract the keys from TrustZone.
Qualcomm provides a Trusted Execution Environment, called QSEE (Qualcomm Secure ExecutionEnvironment), which allows small apps, known as “Trustlets”, to run inside of this secure environment and away from the main Android OS. And one of these QSEE apps running is KeyMaster.
But you can exploit an Android vulnerability to load your own QSEE app inside TrustZone, which can lead to privilege escalation and hijacking of the full space, as well as the theft of the unencrypted blob containing the keys generated for full-disk encryption.
Once this step is complete, a brute-force attack is all you need to grab the user password, PIN, or lock, and you have both parts of the puzzle needed to strip away Android’s FDE.
As noted by The Register, the researcher has been in touch with the developer of hashcat, used to crack hashes, to implement the function being brute-forced, which would speed up the cracking process.
“As we’ve seen, the current encryption scheme is far from bullet-proof, and can be hacked by an adversary or even broken by the OEMs themselves (if they are coerced to comply with law enforcement),” the researcher noted. “[… ] However, I believe a concentrated effort on both sides can help the next generation of Android devices be truly “uncrackable”.
Beniamini has also contacted Qualcomm concerning this issue but says that “fixing the issue is not simple” and might even require hardware changes. So, until handsets are upgraded or switched to newer models, the problem will remain.