FBI Records, Emails, Social Security Numbers Exposed In A Million Files Data Leak; Anonymous Separately Leaks All FBI Agents

 

A massive data leak has been reported at the Oklahoma Securities Commission, millions of records — including files related to sensitive FBI investigations over the last seven years, emails dating back 17 years and thousands of Social Security numbers — have all been exposed.

The breach was revealed last month by Greg Pollock, a cybersecurity researcher at UpGuard, who stated he found that millions of files were publicly available on an online server and didn’t require any password to access them. Exposing the complete lack of security for sensitive information by U.S. government officials.

“It represents a compromise of the entire integrity of the Oklahoma Department of Securities’ network,” UpGuard’s Chris Vickery told Forbes, the first outlet that reported the breach. “It affects an entire state level agency. … It’s massively noteworthy.”

Vickery told Forbes that the exposed FBI documents included “all sorts of archive enforcement actions” from the last seven years. He added that the records also contained various files with agent-filled timelines of interviews related to investigations, bank transaction histories, and emails from individuals related to the cases.

The FBI files also named notable companies and banks such as — AT&T, Goldman Sachs, and Lehman Brothers. Although, Forbes didn’t comment on whether the organizations were under investigation.

The leak further contained emails that date back 17 years, Social Security numbers and other data stretching back to the 1980s, according to Forbes.

The breach was due to leaving an open rsync server. Such servers are traditionally used to back up large batches of data. But that information is supposed to be secure and should be protected by a username and password. Which this server lacked making it accessible to anyone with an internet connection.

If that’s not enough, passwords for computers on the Oklahoma government’s network were also revealed by the breach.

While this isn’t reported to be a hack and only a slight exposure a mysterious file appeared on the private Pastebin like website, privatebin.net. The file posted by Anonymous claiming to be from CgAN (https://cyberguerrilla.info) contains purported leaked information of all current FBI agents, their professions, phone numbers, and email addresses. As well as IP addresses for several intelligence services including the CIA, GCHQ, and many others.

The encrypted message opens up, stating “its time to unite against the system and fight the intelligence agencies.”

“UNITE AGAINST SYSTEM! Eye is watching you every single second of time!
Become Anonymous! Strike against intelligence services!
Targeted and leaked intelligence services: DGSE (France), MI6 (UK), CIA and FBI (USA)

defense.gouv.fr ||| DGSE ||| Direction générale de la sécurité extérieure ||| 45.60.184.47
sis.gov.uk ||| MI6 – The Secret Intelligence Service (SIS) ||| 194.61.183.124
cia.gov ||| Central Intelligence Agency ||| 23.192.74.22
fbi.gov ||| Federal Bureau of Investigation ||| 104.16.78.187 , 104.16.79.187 , 104.16.77.187 , 104.16.76.187 , 104.16.75.187

Citizens of the world, you have just few time to ACT for your future and freedom!
Governments are submitting new laws that human rights of all citizens will be suspended forever!
Intelligence services are preparing to arrest all activists, whistleblowers, freedom organizations, hackers and hacktivists all around the world in a year!

All activists who are acting for freedom and peace,
All hackers who are on the side of internet freedom,
All citizens who do not want to be as a slave in future,

Act against them save Anonymous and Wikileaks,
They are preparing to destroy all freedom activists and peace defenders,
We have to unite!
Take action to free all Anons, to free all activists, to save Anonymous
to free Julian Assange, to save Wikileaks,
to free Timothy Justen French, free James E. Robinson, free Jeremy Hammond, free Martin Gottesfeld, free Matt Dehart.

Save freedom activists for peace and our future!
We are Anonymous
We do not forgive,
We do not forget,
Expect us!,” Anonymous writes.

There is no information available on how Anonymous obtained the list of FBI officials or what FBI server was reached to obtain the data. However, this continues to expose that security is a joke even when taken seriously, if a hacker wants to find a vulnerable entry point they will.

 

A Bug Bounty Hunter Gets Threatened With CFAA For Sharing Evidence

A Chinese drone manufacturing company called DJI had their private keys both the “wildcard” certificate for all the company’s web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub by company developers for years.

Kevin Finisterre used this data to reach important private information uploaded by DJI customers such as images of flight logs, government IDs and passports, even associated with military domains. When he found out there was a bounty program by the company, he applied for it. The program was launched after the US army issued a ban on using DJI drones for any military purpose due to ‘operational security’ concerns. Firmware of DJI drones were also hacked, reports said.

DJI appreciated the finding by Finisterre of the company’s SSL certificates and firmware encryption keys having been exposed via GitHub for years and rewarded the bounty hunter with $30,000 top prize. However, after exchanging 130 email messages with the IT department of the company and communicating with the legal department which offered no legal protection for Finisterre’s research about the exposed data, the company stated if the bounty hunter did not destroy all his findings he was going to face prosecution under the CFAA. Finisterre did not accept the agreement since it included a threat and also being silenced, he decided to go public about it. He got called a ‘hacker’ for this and company acted as if they barely knew who he was despite the 130 exchanged email messages concerning the exposed data.

DJI’s Phantom brand quadcopter drone

As you all will remember, last April, Marcus Hutchins, a British cybersecurity researcher, was arrested by the FBI at a Las Vegas airport while he was returning home from the annual Def Con hacking conference. He was the researcher who discovered a hidden ‘kill switch’ for Wannacry to stop this worldwide ransomware attack which resulted in a lot of damage. The authorities blamed him by being a part of this attack as the creator of the Kronos malware that caused the attack.

Cases like these are discouraging for security researchers towards finding out about a problem and reporting it. While the issue got resolved in both cases by researchers, they were threatened, silenced and even got punished with a trial for a jail time.

There is a high threat by drones used by the military on areas where civilians live, causing many lost lives. When the sensitive data cannot be protected, it would even be more dangerous by any malicious attacks. Security researchers are an important part for preventing such threats.

Sources:

http://www.realclearlife.com/technology/marcus-hutchins-wannacry-ransomware-arrested/

https://www.buzzfeed.com/kevincollier/wannacry-malware-hero-likely-considering-plea-deal-on

https://arstechnica.com/information-technology/2017/11/dji-left-private-keys-for-ssl-cloud-storage-in-public-view-and-exposed-customers/

https://www.techdirt.com/articles/20171117/11504938638/drone-maker-dji-offers-bug-bounty-program-then-threatens-bug-finder-with-cfaa.shtml

https://www.thebureauinvestigates.com/stories/2017-01-17/obamas-covert-drone-war-in-numbers-ten-times-more-strikes-than-bush

http://www.independent.co.uk/news/world/americas/us-politics/donald-trump-civilian-deaths-syria-iraq-middle-east-a7649486.html

Equifax Has Sold Private Data Including Salary Details of Millions of Employees To Other Companies

Equifax-owned company called Workforce Solutions, also known as The Work Number (TALX), sold salary data of its employees to debt specialists, financial service companies, and other organizations. Facebook Inc. is one of those companies buying such data despite the fact that the U.S. Federal Trade Commission put Facebook on privacy probation.

It is well known that social media such as Facebook now encourage their users to share their private data online. These sites’ entire policies are based on encouraging their customers to share their private lives as much as possible. The data shared (most of the time voluntary) is sent to several organizations and companies regardless of users’ consent. Despite the fact that social media users share their private lives online, salary is one of the sacred areas to most people, people who would not want to post publicly how much they earn. Facebook has been buying data from Equifax and also selling all the private data it collects from its users back to several companies including Equifax which had a breach to expose 143 million Americans’ private information.

Equifax Work Number database now contains over 296 million employment records and contains employees at all wage levels, from CEOs to interns. Considering how loose their security level is, apparent from breaches, it is not even a surprise there was unauthorized access to their employee tax records, lasting over a year, from April 2016 to May 2017. Cybersecurity expert Brian Krebs states that ‘crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees,’ to breach TALX’s databases, the Tax Form Management platform. He said due to this method of breaching, Equifax has no idea how many employees were affected from it. Krebs also reported that last September, a research team was able to access 14,000 consumer records after slipping into an online portal where Equifax employees in Argentina manage credit report disputes from consumers, as the password combination was set to an easy guess such as admin/admin.

Equifax-owned The Work Number has such a detailed database about salary data they put on sale that it shows week-by-week data for years, health care providers, types of health care coverage, files of unemployment claims and more. The data The Work Number owns and sells includes 12 million records.

Equifax can easily get and store such private and hidden information through thousands of U.S. businesses, including Fortune 500 companies, government agencies (who hold 85 percent of the entire country’s population), the Department of Defense and even schools. These sectors and people let Equifax tap directly into their data so that the credit bureau can have the latest job information and they even pay for Equifax to own their workers’ private information as they see it as a privilege. Once Equifax collects the private data, it sells the data to third parties such as debt agents, social media giants like Facebook Inc., and various companies giving financial services.

A good example could be given when we look at Facebook employees. A typical employee at Facebook may require verification of his employment through TALX when he applies for a loan, public aid, or a new job. If his new prospective employer is among the 70,000 approved entities in Equifax’s verifier network with a “permissible purpose”, that company can purchase his employment and income information for about $20. Prospective landlords can verify an applicant’s income through The Work Number, or human resources departments can examine an applicant’s background information much cheaper.

How the Work Number process works, according to a 2007 slide about Equifax’s $1.4 billion acquisition of TALX that year. Image: SEC

Of course, gathering data which was more than a fifth of the firm’s $3.1 billion revenue last year makes TALX one of the most profitable businesses of Equifax. Rick Smith, Equifax’s former CEO, said at an event at the University of Georgia in August. “That acquisition, by the way—I don’t know if I’m proud of this or not—but it’s worth about $9 billion today.”

Equifax already confirmed in an emailed statement to News as it shares ‘job data’ with debt collectors and others in agreement with Fair Credit Reporting Act guidelines.

Despite the fact that the Work Number database presents a continuous threat for both employees and consumers with their large database to private data and with little to no protection to it, the Work Number stated they will continue to supply such data for their customers, the sale of the data is included.

Such private data being shared by financial companies means your health status, credit history, financial status, debts, salary, your bank accounts and several other private details about your life are exposed to many organisations and companies. When, for instance, you fail to pay for your credit card debt or hospital bill, the companies can withdraw this amount from your bank account and you won’t even realize it unless you see a detailed account report.

At this point, there does not seem to be a real solution to this big scandal concerning the violation of private data since the Federal Trade Commission (FTC), which is supposed to take care of such issues, also sends its employees’ data to Equifax and it is an Equifax client as well. FTC regularly sends wage and work information about its attorneys and staff members to the Work Number database.

Trade specialists comment about one of the biggest scams of our century concerning the violation of company’s customer related data as a ‘secret CIA’ since it is being done legally and nobody does anything about to prevent it.

Sources:

https://www.fastcompany.com/40485634/equifax-salary-data-and-the-work-number-database

https://krebsonsecurity.com/2017/10/equifax-breach-fallout-your-salary-history/

https://www.nbcnews.com/technology/exclusive-your-employer-may-share-your-salary-equifax-might-sell-1B8173066

Microsoft internal bug database hacked in 2013 and silence followed

Microsoft’s internal database for bug tracking was hacked over 4 years ago. The hack was already discovered in 2013 but was never disclosed to the public. The hacked database contained a list of secret security flaws and possible exploits within its widely used software. They managed to fix the issue within months after that. However, something that is disturbing is that the public was never informed. During the months Microsoft was creating solutions to combat the possible exploits, the public was exposed to numerous threats without knowing about it.

The company checked to see if the leaked information had been used in other breaches around that same time, before Microsoft was able to patch them. According to insiders they were unable to link the hack to any other breaches happening before that. Since then the company has put more emphasis on internal security and former employees state that hacks like this will probably not occur anymore in the future.

But the fact remains the public should have been informed, even if it meant that the hackers likely would have used the exploits more aggressively since they knew the hack was discovered. If the public had been informed about what happened, companies, users and even governments could have taken preventative measures to ensure their security. The fact that Microsoft didn’t disclose that the breach occurred isn’t a great move at all.

“Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” said Eric Rosenbach, the U.S. deputy assistant secretary of defense for cyber at the time.

The dangers posed by information on such software vulnerabilities became a matter of broad public debate this year, after a National Security Agency stockpile of hacking tools was stolen, published and then used in the destructive “WannaCry” attacks against U.K. hospitals and other facilities.

Only one breach of a big database from a software company has been disclosed. In 2015, the nonprofit Mozilla Foundation – which develops the Firefox web browser – said an attacker had gotten access to a database that included 10 severe and unpatched flaws. One of those flaws was then leveraged in an attack on Firefox users, Mozilla disclosed at the time.
In contrast to Microsoft’s approach, Mozilla provided extensive details of the breach and urged its customers to take action.

Sources: Engadget, Reuters