Scripps isn’t being hailed for exposing the error, though, and has been accused by telecom attorneys of hacking into computers to gain access to the records — a claim the reporters dispute.According to the journalists, they uncovered the files using nothing more than a simple Google search.Reporters with Scripps were investigating Lifeline, a government benefit-program that provides low-income Americans with discounted phone service, when they came across the sensitive data.“While looking into companies participating in the program, the Scripps News investigative team discovered more than 170,000 records posted online listing sensitive information such as Social Security numbers, home addresses and financial accounts of customers and applicants of Lifeline,” the news service wrote this week.According to Scripps, Oklahoma-based TerraCom Inc. and an affiliate, YourTel America Inc., were up until recently hosting around 170,000 files just like these on the Internet, unencrypted and easy to find for anyone looking in the right spot. In fact, the journalists say they discovered the records by keying in a basic search query into Google.com.“A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel,” Scripps reported.When another journalist conducted a follow-up Google search of the website, Scripps was presented with a trove of documents that were all hosted online without any security system in place to restrict access. From there, they used a computer code to download the publically available records and eventually possessed the entire trove without ever hacking any passwords or posing as an unauthorized party.The reporters put the number of Lifeline applicants whose privacy was breached at around 44,000, spanning 18 states in the US.San Antonio, Texas resident Linda Mendez, 51, was among the thousands of customers whose personal info was compromised due to the lack of security. When Scripps presented her with a completed TerraCom application she was shocked.“How can they make it so easy like this for people to steal somebody’s identity?” Mendez asked.Scripps asked similarly of TerraCom but was met with a shocker as well. Shortly after they presented their findings to the telecom, the files disappeared off the website. Then came a warning from TerraCom’s attorney.“The person or persons using the Scripps IP address have engaged in numerous violations of the Computer Fraud and Abuse Act,” insisted TerraCom’s lawyer, Jonathan Lee, “by gaining unauthorized access into confidential computer files maintained for the Companies by Vcare, and by digitally transferring the information in these folders to Scripps. I request that you take immediate steps to identify the Scripps Hackers, cause them to cease their activities described in this letter and assist the companies in mitigating the damage from the Scripps Hackers’ activities.”“Shoot the messenger,” wrote a blogger for NetworkWorld. “Reporters found a gaping security hole exposing 170,000 Lifeline phone customer records online, but were labeled Scripps Hackers and accused of violating [the] CFAA.”Lee continued:“If the purpose of the hacking was journalistic and the Scripps Hackers have not made and do not intend to make any further disclosure of the hacked data, then any financial or other risk for those applicants would be minimal and notification of the breach may not be necessary under the law of about half of the states involved. However, the downloading of more than 120,000 files over a period of several weeks may not be consistent with solely journalistic intent.”New York-based attorney Tor Ekeland represented security researcher Andrew Auernheimer during a CFAA case that ended earlier this year with a federal judge sentencing the so-called hacker to 41 months in prison. In Auernheimer’s case, he was convicted of gaining unauthorized access to the personal details of thousands of AT&T customers after he discovered — and disclosed — a major security flaw that exposed the data of Apple iPad users in a major breach.“I don’t see much difference between what happened in that case and what happened here,” Ekeland wrote on his website this week, “[e]xcept maybe that the DOJ might be a bit sensitive about going after reporters given their current track record on that front.”“By not defining its key operative phrase ‘unauthorized access’ as requiring bypassing a password or some other type of technological access barrier, it allows corporations to be negligent regarding their infosec,” or informational security, wrote Ekeland. “The corporations know that someone else, and not themselves, will suffer the consequences for discovering their confidential data that the corporation has displayed for all to see on the open Web. Why should anyone disclose any computer security flaw in that type of set up? Why risk a felony conviction? Better to keep your mouth shut and let all sorts of criminal organizations and foreign governments harvest the information than to incur the wrath of the Department of Justice and a vexatious and costly civil suit.”Before being sentenced, Auernheimer himself wrote that “in an age of rampant cyber espionage and crackdowns on dissidents,” the only ethical way to disclose security exploits was to avoid going to the company involved or the government that might prosecute you. “In a few cases, that individual might be a journalist who can facilitate the public shaming of a web application operator. However, in many cases the harm of disclosure to the un-patched masses . . . greatly outweighs any benefit that comes from shaming vendors.”Scripps’ attorney, David Giles, responded much akin to Ekeland that TerraCom was misinterpreting the CFAA. “Regardless of the flowery moniker you have used to characterize the bureau’s newsgathering activities, the bureau’s reporters have not violated the Computer Fraud and Abuse Act or any other law or regulation,” Giles wrote. “Rather, in the process of gathering newsworthy information, the bureau accessed – via a basic Internet search – personal and confidential information that apparently is available to anyone with a computer, an outlet and access to electricity.”Scripps requested an on-camera interview with TerraCom before and after making their disclosure in order to show the company face-to-face how they “hacked” into their network. TerraCom acknowledged the breach on their website and told customers that “names, addresses, Social Security numbers, tax information and other government forms used by our company to determine applicant eligibility for the federal Lifeline program” were all compromised. … Read More
Minnesota Attorney Is Just One Victim in Police Database-Snooping Scandal
A couple of months ago we heard that Florida
cops were
abusing driver and vehicle databases to gain information on a
fellow officer who had the nerve to arrest one of their own — as
well as for other run-of-the-mill, unofficial creepiness. Now we
discover that misuse of databases by police is a problem in
Minnesota, too. One of the more prominent targets of data-trawling
is a former police union attorney, who was the subject of hundreds
of unauthorized inquiries.
From
The Pioneer-Press:
Brooke Bass spent her legal career looking out for the best
interests of police officers.
They were looking out for her, too, her lawyer says — but in a
different way.
In the past eight years, more than 100 entities across Minnesota
– nearly all of them law enforcement — accessed Bass’s private
driver’s license information more than 700 times, her attorney
said.
That would make her the subject of the biggest privacy breach to
date in the state’s increasingly broad and increasingly expensive
license-data debacle.
As the article makes clear, the problem doesn’t begin and end
with Bass. In fact, it’s so widespread that “at least one law firm
has placed an ad in a newspaper in southwestern Minnesota seeking
claimants.” There’s certainly more to come, since the Legislative
Auditor’s office “found more than half of Minnesota law enforcement
personnel with access to driver’s license data might have made
inappropriate searches.”
Note that IRS agents have been caught entertaining themselves
with similar searches of the sensitive records at their disposal,
for both
fun and
profit. But as government agencies acquire and store ever-more
information about our finances, guns, health and many other
matters, they’re sure to get it right eventually? Aren’t they?
Yeah. Right.
Follow this story and more at Reason 24/7.
If you have a story that would be of interest to Reason’s
readers please let us know by emailing the 24/7 crew at
24_7@reason.com, or tweet us stories at ;@reason247. … Read More
AMI BIOS source code and UEFI signing key found on public FTP
The source code and unique UEFI signing test key for firmware developed by American Megatrends Inc. (AMI) has been discovered on an FTP server in Taiwan. What makes the news especially damning is that the sensitive data was allegedly stored on a public server owned and operated by a third… … Read More
Korean Peninsula ‘on a knife edge’
The United States has sent F-22 stealth fighter jets, to participate in ongoing military exercises with South Korea. The move is highly controversial and can be interpreted differently, James Corbett, host of the Corbett Report told RT.RT: We know tension is running high on the Peninsula .Why are Seoul and Washington holding military exercises at such a sensitive time?James Corbett: I suppose the official answer to that would be that it’s just part of annual joint military drills that are held always around this time of year. But I think that we have to see that this being done in the midst of this provocation and this rising tension as a self-admitted attempt to ratchet up things, and to put a little bit of pressure on Pyongyang. I think that this has to be seen as an attempt to try to rain in some of this bellicose rhetoric that we’ve been hearing in the last few days and to try to do something, to put some of the chips on the table. I think that this has the possibility of ratcheting things up to the point where tensions might actually spill over as a result of this, and we saw that recently with the deployment of B-2 nuclear armed bombers in South Korea which is not only, I think, worrying to Pyongyang, but also to China, to have nuclear bombers that close to the peninsula there, on China’s southern border. I think that China wouldn’t be pleased with that either, so this is quite an escalation that’s taking place. RT: What actions would prompt South Korea to carry out a pre-emptive strike against its neighbor?JC: Well I don’t know if that’s something that we’re looking at realistically, but the most likely scenario here would be some sort of blunder or misinterpretation on one side or the side because everything is on the knife’s edge. As I’ve said before, I think that all of the players here have interest of keeping the tension up, but not allowing it to spill over. I think that obviously works for North Korea which could be easily wiped out in a military confrontation, but it also works for South Korea and America, and all of the allies here in this region that also serve to benefit from this. We’ve seen this directly, for example, with the announcement of more missile defense in southern-western coast of the United States that are now going to be 14 new ground-based interceptors deployed in Alaska at the cost of US taxpayers, for $1 billion by 2017. So this is doing fantastic business for the defense contractors who serve to feed into this tension and play off it. So, honestly, I don’t think there are plans for pre-emptive strikes at this moment. I think this is more a question of if this will spill accidentally over something more. RT: Pyongyang claims it has missiles on standby to attack US targets. Is Washington actually taking the North Korean threat seriously?JC: I think that the thing they keep in mind is that the idea of some sort of nuclear spectre hanging over America at the moment is laughable at best. Certainly, they know that there are wildly inaccurate Taepodongs 2 and 3 missiles, even if they can actually reach the western part of the United States which is really just theoretical at this point. But even if they could, North Korea would be, by best analysts’ estimates, several years away from militarizing nuclear devices onto warheads. And even then, the nuclear devices they have so far come with about one half of the Hiroshima bomb had. [So this is] quite [a] small bomb. This isn’t an imminent threat, this isn’t going to strike out any day now, I think, in that sense this isn’t a threat to the American mainland. That aspect of it is being hyped up, but it serves to justify $1 billion of missile interceptors. I think the defense contractors will be laughing all the way to the bank. RT: Continued sanctions against Pyongyang have had no effect. Could it be time for the international community to return to negotiations?JC: There has to be some sort of change to the status quo here, and it is the question of what sides can be brought to this table because obviously, the six-party talks have gone nowhere, and in fact really digressed to the point we’re now at this stage again. So I think there have to be some different players at the table. I think ultimately most people are expecting this evolving into some sort of negotiation between the US and China, whether directly or indirectly through this confrontation. I think those are the two main players that are feeding into this right now, and which really do have Pyongyang in the balance. So I think that it’s going to involve those parties at some point in some way, but at this point I just don’t see how this is going to arrive, certainly not within the framework of this six-party talks as they’ve existed over the past decade. … Read More
Obama HHS Secretary Admits Premiums Will Rise Because Of Obamacare
While many in the real world have been warning about the increase of premiums that will result in the ironically named Affordable Care Act, aka Obamacare, Health and Human Services Secretary (and known federal law breaker) Kathleen Sebelius has finally admitted that costs will increase for consumers, despite the denials of the Socialists in Congress and the Socialist in the White House. … Read More
DoD Inspector General Has Unrestricted Access to Classified Info
A Department of Defense instruction issued on Friday reinforces the policy that the DoD Office of Inspector General (OIG) is to have full access to all records, including classified records, that it needs to perform its function, and that no DoD official other than the Secretary himself may block such access.
“The OIG must have expeditious and unrestricted access to all records…, regardless of classification, medium (e.g. paper, electronic) or format (e.g., digitized images, data) and information available to or within any DoD Component, and be able to obtain copies of all records and information as required for its official use once appropriate security clearances and access are substantiated for the OIG DoD personnel involved,” the instruction states. See “Office of the Inspector General of the Department of Defense Access to Records and Information,” DoD Instruction 7050.03, March 22, 2013.
By stressing that the Inspector General’s access is independent of a record’s classification, medium or format, this language elaborates and bolsters the text of a previous version of the instruction, which did not make those distinctions.
Furthermore, the new instruction specifies, “No officer, employee, contractor, or Service member of any DoD Component may deny the OIG DoD access to records.” Only the Secretary of Defense may invoke a statutory exemption to limit IG access to certain intelligence, counterintelligence, or other sensitive matters, which he must then justify in a report to Congress.
As a result these robust access provisions, the DoD Inspector General is well-positioned to conduct internal oversight not only of the Pentagon’s extensive classified programs, but also of the classification system itself, particularly since the Department of Defense is the most prolific classifier in the U.S. government.
In fact, the Inspector General of each executive branch agency that classifies national security information is now required by the Reducing Over-Classification Act of 2010 to evaluate the agency’s classification program. Each Inspector General was directed “to identify policies, procedures, rules, regulations, or management practices that may be contributing to persistent misclassification of material.”
The first evaluation is due to be completed by September 30, 2013. Vexingly, the Act did not provide a functional definition of “over-classification” or “misclassification.” Therefore, the first hurdle that the IG evaluations must overcome is to determine the nature and the parameters of the problem of over-classification. … Read More
CIA trains and spies for Syrian rebels – report
The CIA’s increased involvement in Syria is part America’sgreater engagement in the war-torn country, according to The WallStreet Journal. The spy agency has selected some small rebel unitsfrom the Free Syrian Army to receive combat training and freshintel they can act upon, the newspaper says, citing unnamed USofficials and rebel commanders.The training is provided by the CIA, working together withBritish, French and Jordanian intelligence agencies. The rebels aretaught to use various kinds of arms, including anti-tank weapons.They are also schooled in urban combat tactics andcounterintelligence tactics. The experience will supposedly help them stand against theprofessional Syrian army, which scores victories against the armedopposition thanks to both more advanced weapons and betterorganization.The rebels are also receiving fresh intelligence collected bythe CIA, which they can act upon at short notice. The extent of theinfo provided remains in secret, but the US can potentially providewhat they gather trough satellite and signal surveillance as wellas intelligence coming through exchanges with Israeli and Jordanianagencies.The CIA is said to keep this part of dealing with the rebelslimited, withholding sensitive types of information, like thesuspected locations of Syrian chemical weapons stockpiles.The US spy agency was previously working in Turkey vetting rebelgroups for receiving arms shipments from Gulf monarchies. Theeffort aimed at preventing the weapons from being funneled toIslamists had mixed results, the WSJ says. The CIA also works withIraqi counterterrorism units to counter the flow of Islamistmilitants across the border to Syria.The White House has been reluctant to send combat-worthyequipment to Syrian rebels, despite calls inside the US and from Gulf and some Europeancountries to do so. It is concerned that those would end up in thehand of the more powerful Al-Qaeda-linked terrorist force, theNusra Front. Unlike arms, the intelligence from CIA isoperationally useful for a short period of time and would not betraded for years to come, a US official explained.Washington’s concern over the growing influence of the NusraFront was reiterated on Friday by President Barack Obama, as he wasvisiting Jordan as part of his Middle Eastern tour. “I am very concerned about Syria becoming an enclave forextremism because extremists thrive in chaos, they thrive in failedstates, they thrive in power vacuums,” Obama said after meetingJordan’s King Abdullah II.The Nusra Front is believed to be responsible for the bloodiestbombings in Syria over the past months. The latest such attack wasthe assassination of Mohammad Buti and influential Sunni preacherand supporter of the Syrian government. Buti was killed on Thursday along with some 50 otherswhen a car bomb was detonated near a Damascus mosque.The US is reportedly gathering intelligence on Nusra Frontcommanders and fighters for a possible campaign of targeted drone killing similar to thosethe CIA wages in Pakistan and Yemen and the Pentagon inAfghanistan. … Read More
