Category Archives: hack

FCC has a redaction party with emails relating to mystery attack on comment system

You may remember the FCC explaining that in both 2014 and 2017, its comment system was briefly taken down by a denial of service attack. At least, so it says — but newly released emails show that the 2014 case was essentially fabricated, and the agency has so aggressively redacted documents relating to the 2017 incident that one suspects they’re hiding more than ordinary privileged information.

As a very quick recap: Shortly after the comment period opened for both net neutrality and the rollback of net neutrality there was a rush of activity that rendered the filing system unusable for a period of hours. This was corrected soon afterwards and the capacity of the system increased to cope with the increased traffic.

A report from Gizmodo based on more than 1,300 pages of emails obtained by watchdog group American Oversight shows that David Bray, the FCC’s chief information officer for a period encompassing both events, appears to have advanced the DDoS narrative with no real evidence or official support.

The 2014 event was not called an attack until much later, when Bray told reporters following the 2017 event that it was. “At the time the Chairman [i.e. Tom Wheeler] did not want to say there was a DDoS attack out of concern of copycats,” Bray wrote to a reporter at Federal News Radio. “So we accepted the punches that it somehow crashed because of volume even though actual comment volume wasn’t an issue.”

Gigi Sohn, who was Wheeler’s counsel at the time, put down this idea: “That’s just flat out false,” she told Gizmodo. “We didn’t want to say it because Bray had no hard proof that it was a DDoS attack. Just like the second time.”

And it is the second time that is most suspicious. Differing on the preferred nomenclature for a four-year-old suspicious cyber event would not be particularly damning, but Bray’s narrative of a DDoS is hard to justify with the facts we do know.

In a blog post written in response to the report, Bray explained regarding the 2017 outage:

Whether the correct phrase is denial of service or “bot swarm” or “something hammering the Application Programming Interface” (API) of the commenting system — the fact is something odd was happening in May 2017.

Bray’s analysis appears sincere, but the data he volunteers is highly circumstantial: large amounts of API requests that don’t match comment counts, for instance, or bunches of RSS requests that tie up the servers. Could it have been a malicious actor doing this? It’s possible. Could it have been bad code hammering the servers with repeated or malformed requests? Also totally possible. The FCC’s justification for calling it an attack seems to be nothing more than a hunch.

Later the FCC, via then-CIO Bray, would categorize the event as a “non-traditional DDoS attack” flooding the API interface. But beyond that it has produced so little information of any import that Congress has had to re-issue its questions in stronger words.

No official documentation of either supposed attack has appeared, nor has the FCC released any data on it, even a year later and long after the comment period has closed, improvements to the system have been made and the CIO who evaded senators’ questions departed.

But most suspicious is the extent to which the FCC redacted documents relating to the 2017 event. Having read through the trove of emails, Gizmodo concludes that “every internal conversation about the 2017 incident between FCC employees” has been redacted. Every one!

The FCC stated before that the “ongoing nature” of the threats to its systems meant it would “undermine our system’s security” to provide any details on the improvements it had made to mitigate future attacks. And Bray wrote in his post that there was no “full blown report” because the team was focused on getting the system up and running again. But there is also an FCC statement saying that “our analysis reveals” that a DDoS was the cause.

What analysis? If it’s not a “significant cyber incident,” as the FBI determined, why the secrecy? If there’s no report or significant analysis from the day — wrong or right in retrospect — what is sensitive about the emails that they have to be redacted en masse? Bray himself wrote more technical details into his post than the FCC has offered in the year since the event — was this information sent to reporters at the time? Was it redacted? Why? So little about this whole information play makes no sense.

One reasonable explanation (and just speculation, I should add) would be that the data do not support the idea of an attack, and internal discussions are an unflattering portrait of an agency doing spin work. The commitment to transparency that FCC Chairman Pai so frequently invokes is conspicuously absent in this specific case, and one has to wonder why.

The ongoing refusal to officially document or discuss what all seem to agree was an important event, whether it’s a DDoS or something else, is making the FCC look bad to just about everyone. No amount of redaction can change that.

MyHeritage breach exposes 92M emails and hashed passwords

The genetic analysis and family tree website MyHeritage was breached last year by unknown actors, who exfiltrated the emails and hashed passwords of all 92 million registered users of the site. No credit card info, nor (what would be more disturbing) genetic data appears to have been collected.

The company announced the breach on its blog, explaining that an unnamed security researcher contacted them to warn them of a file he had encountered “on a private server,” tellingly entitled “myheritage.” Inside it were the millions of emails and hashed passwords.

Hashing passwords is a one-way encryption process allowing sensitive data to be stored easily, and although there are theoretically ways to reverse hashing, they involve immense amounts of computing power and quite a bit of luck. So the passwords are probably safe, but MyHeritage has advised all its users to change theirs regardless, and they should.

The emails are not fundamentally revealing data; billions have been exposed over the years through the likes of the Equifax and Yahoo breaches. They’re mainly damaging in connection with other data. For instance, the hackers could put 2 and 2 together by cross-referencing this list of 92 million with a list of emails whose corresponding passwords were known via some other breach. That’s why it’s good to use a password manager and have unique passwords for every site.

MyHeritage’s confidence that other data was not accessed appears to be for a good reason:

Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.

Of course, until recently the company had no reason to believe the other system had been compromised, either. That’s one of those tricky things about cybersecurity. But we can do the company the credit of understanding from this statement that it has looked closely at its more sensitive servers and systems since the breach and found nothing.

Two-factor authentication was already in development, but the team is “expediting” its rollout, so if you’re a user, be sure to set that up as soon as it’s available.

A full report will likely take a while; the company is planning to hire an external security firm to look into the breach, and is working on notifying relevant authorities under U.S. laws and GDPR, among others.

I’ve asked MyHeritage for further comment and clarification on a few things and will update this post if I hear back.

MyHeritage breach exposes 92M emails and hashed passwords

The genetic analysis and family tree website MyHeritage was breached last year by unknown actors, who exfiltrated the emails and hashed passwords of all 92 million registered users of the site. No credit card info, nor (what would be more disturbing) genetic data appears to have been collected.

The company announced the breach on its blog, explaining that an unnamed security researcher contacted them to warn them of a file he had encountered “on a private server,” tellingly entitled “myheritage.” Inside it were the millions of emails and hashed passwords.

Hashing passwords is a one-way encryption process allowing sensitive data to be stored easily, and although there are theoretically ways to reverse hashing, they involve immense amounts of computing power and quite a bit of luck. So the passwords are probably safe, but MyHeritage has advised all its users to change theirs regardless, and they should.

The emails are not fundamentally revealing data; billions have been exposed over the years through the likes of the Equifax and Yahoo breaches. They’re mainly damaging in connection with other data. For instance, the hackers could put 2 and 2 together by cross-referencing this list of 92 million with a list of emails whose corresponding passwords were known via some other breach. That’s why it’s good to use a password manager and have unique passwords for every site.

MyHeritage’s confidence that other data was not accessed appears to be for a good reason:

Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.

Of course, until recently the company had no reason to believe the other system had been compromised, either. That’s one of those tricky things about cybersecurity. But we can do the company the credit of understanding from this statement that it has looked closely at its more sensitive servers and systems since the breach and found nothing.

Two-factor authentication was already in development, but the team is “expediting” its rollout, so if you’re a user, be sure to set that up as soon as it’s available.

A full report will likely take a while; the company is planning to hire an external security firm to look into the breach, and is working on notifying relevant authorities under U.S. laws and GDPR, among others.

I’ve asked MyHeritage for further comment and clarification on a few things and will update this post if I hear back.

FreeMe Wins The Disrupt London 2015 Hackathon Grand Prize

P1010712 It’s been a long night at the Copper Box Arena in London. The arena hosted the handball competition of the Summer Olympics two years ago. But this weekend has been all about a different kind of competition — the Disrupt London Hackathon. Some of them were participating in our event for the first time, while others were regular hackers. Their challenge was to come up with a neat,… Read More

Amazon Shows Off New Prime Air Drone With Hybrid Design

prime-air_04 Amazon delivered a lovely update on its ‘Prime Air’ project today — almost exactly two years after it showed the first iteration of its drone. You know, the flying delivery drone that some thought was a massive joke meant for April 1st. Included are some high-res shots and two new videos. Amazon releases a vid with a new Prime Air drone design https://t.co/HCIjXZQkWN… Read More

Google Open Sources Two Tools To Import Mail Into Gmail

gmail If you’ve ever been stuck using another email service and want to move over to Gmail, importing all of your mail is a real pain in the ass. Think Apple’s Mail client tied to, say, an exchange account. Today, Google open sourced two projects that’ll help make moving over much easier. Read More

Thorn To Set Up An Innovation Lab In Silicon Valley To Fight Child Sexual Exploitation

abstract closeup thorn of durian fruit Putting children, let alone anyone who can’t fend for themselves, into harm’s way is a monstrosity. Every single day, media of all types, photos and videos being the most prominent, depicting children in sexual scenarios are being uploaded to sites and services all over the world. It must stop. But how? Read More

Google Calendar For The Web Gets A Trash Can

trash_gif You set up a meeting, drop it into Google Calendar. Then someone says “let’s do it another time” and you delete it. Then they say they’re available again. What do you do? You create a new entry. Until now. Today, the Google Apps team released a small but handy feature for the web version of Google Calendar — a trash can. You can now view, permanently delete or… Read More

Lytro Introduces ‘Immerge’ For Cinematic Virtual Reality

Screen Shot 2015-11-05 at 10.15.12 AM Camera maker Lytro is hopping into virtual reality. Today, it announced a product called “Immerge” which the company describes as “world’s first professional light field solution for cinematic VR.”
What does that mean exactly?
Well Lytro wants to provide tools to shoot live action virtual reality. It built its “light field” solution from the ground up. Read More

500 Startups Introduces Batch 15: Under-Sea Drones, Puppy Treats, And On-Demand Snow Plowing

group_photo (1) It seems like only yesterday that we were introducing you to 500’s Batch 14, but Summer is gone, the demos have been done, we’ve picked our favs and it’s time to introduce you to the next group going through 500’s accelerator — 500 Startups’ Batch 15. 500 Startups has a thesis of investing in many startups, some that they consider “unsexy,”… Read More

Share