‘Erratic’ online handle apt for Capital One hack suspect

August 1, 2019

By GENE JOHNSON and FRANK BAJAK

SEATTLE (AP) — The 33-year-old former Amazon software engineer accused of hacking Capital One made little attempt to hide her attack. In fact, she effectively publicized it.

It’s one of many riddles swirling around Paige Thompson, who goes by the online handle “erratic.” Well-known in Seattle’s hacker community, Thompson has lived a life of tumult, with frequent job changes, reported estrangement from family and self-described emotional problems and drug use.

FBI agents arrested Thompson Monday for allegedly obtaining personal information from more than 100 million Capital One credit applications, including roughly 140,000 Social Security numbers and 80,000 bank account numbers. There is no evidence the data was sold or distributed to others.

Thompson, in federal custody pending an Aug. 15 detention hearing, wasn’t reachable. Her public defender, Mohammad Hamoudi, did not return an emailed request for comment.

But her online behavior suggested that she may have been preparing to get caught. More than six weeks before her Monday arrest, Thompson had discussed the Capital One hack online with friends in chats and in a group she created on the Slack messaging service.

Those chats and the recollections of others offer a sketch of someone talented and troubled, grappling with what friends and her own posts indicate was an especially bumpy crossroads in her life.

Friends and associates described Thompson as a skilled programmer and software architect whose career and behavior — oversharing in chat groups, frequent profanity, expressions of gender-identity distress and emotional ups and downs — mirror her online handle.

MORE

 

Whistleblower vindicated in Cisco cybersecurity case

August 1, 2019

By FRANK BAJAK

BOSTON (AP) — A computer security expert who has won a trailblazing payout in a whistleblower lawsuit over critical security flaws he found in October 2008 in Cisco Systems Inc. video surveillance software thought his discovery would be a career-boosting milestone.

James Glenn imagined at the time that Cisco would credit him on its website. The software was, after all, used at major U.S. international airports and multiple federal agencies with sensitive missions

“I mean, this was a pretty decent accomplishment,” Glenn said Thursday in a phone interview.

Instead, he was fired by the Cisco reseller in Denmark that employed him, which cited cost-cutting needs. And Cisco kept the flaws in its Video Surveillance Manager system quiet for five years.

Only Wednesday, when an $8.6 million settlement was announced and the lawsuit he filed in 2011 under the federal False Claims Act unsealed, was Glenn’s ordeal revealed — along with the potential peril posed by Cisco’s long silence.

MORE

 

Activists worry about potential abuse of face scans for ICE

July 9, 2019

By FRANK BAJAK

BOSTON (AP) — Civil rights activists complained Monday of the potential for widespread abuse following confirmation that at least three states have scanned millions of driver’s license photos on behalf of Immigration and Customs Enforcement without the drivers’ knowledge or consent.

Public records obtained by the Georgetown Law Center on Privacy and Technology provided the first proof that ICE had sought such scans, which were conducted in Utah, Vermont and Washington.

All three states — which offer driving privileges to immigrants who are in the U.S. illegally — agreed to the ICE requests, according to documents shared with The Associated Press on Monday and first reported by The Washington Post .

“States asked undocumented people to come out of the shadows to get licenses. Then ICE turns around and uses that to find them,” Alvaro Bedoya, the center’s director, said Monday.

ICE spokesman Matthew Bourke did not directly address written questions, including whether the agency used the scans to arrest or deport anyone.

MORE

Data scientist drops Facebook defamation suit

July 2, 2019

By FRANK BAJAK

Aleksandr Kogan, the data scientist at the center of Facebook’s Cambridge Analytica privacy scandal, said he is dropping a defamation lawsuit against the social network rather than engage in an expensive, drawn-out legal battle.

Kogan, 33, sued the social giant in March, claiming it scapegoated him to deflect attention from its own misdeeds, thwarting his academic career in the process. The suit sought unspecified monetary damages and a retraction and correction of what Kogan said were “false and defamatory statements.”

“We thought there was a one percent chance they would do the right thing,” Kogan told The Associated Press. Facebook is “brilliant and ruthless,” he added. “And if you get in their way they will destroy you.”

A Facebook spokesperson said the company had “no comment to share concerning this development.”

The former Cambridge University psychology professor created an online personality test app in 2014 that vacuumed up the personal data of as many as 87 million Facebook users . The vast majority of those were unwitting online friends of the roughly 200,000 people Kogan says were paid about $4 to participate in his “ThisIsYourDigital Life” quiz.

MORE

Server image mystery in Georgia election security case

July 3, 2019

By FRANK BAJAK

The case of whether hackers may have tampered with elections in Georgia has taken another strange turn.

Nearly two years ago, state lawyers in a closely watched election integrity lawsuit told the judge they intended to subpoena the FBI for the forensic image, or digital snapshot, the agency made of a crucial server before state election officials quietly wiped it clean. Election watchdogs want to examine the data to see if there might have been tampering, given that the server was left exposed by a gaping security hole for more than half a year.

A new email obtained by The Associated Press says state officials never did issue the subpoena, even though the judge had ordered that evidence be preserved, including from the FBI.

The FBI data is central to activists’ challenge to Georgia’s highly questioned, centrally administered elections system, which lacks an auditable paper trail and was run at the time by Gov. Brian Kemp, then Georgia’s secretary of state.

The plaintiffs contend Kemp’s handling of the wiped server is the most glaring example of mismanagement that could be hiding evidence of vote tampering. They have been fighting for access to the state’s black-box voting systems and to individual voting machines, many of which they say have also been altered in violation of court order.

Marilyn Marks of the Coalition for Good Governance, a plaintiff in the case, said that if the state failed to secure the data from the FBI — despite informing U.S. District Judge Amy Totenberg in October 2017 of its intent to do so with the subpoena — it clearly has something to hide.

MORE

WhatsApp flaw let spies take control with calls alone

whatsapp nsoMay 14, 2019

By FRANK BAJAK and RAPHAEL SATTER

Spyware crafted by a sophisticated group of hackers-for-hire took advantage of a flaw in the popular WhatsApp communications program to remotely hijack dozens of phones without any user interaction.

The Financial Times identified the hacking group as Israel’s NSO Group, which has been widely condemned for selling surveillance tools to repressive governments.

WhatsApp all but confirmed the identification, describing hackers as “a private company that has been known to work with governments to deliver spyware.” A spokesman for the Facebook subsidiary later said: “We’re certainly not refuting any of the coverage you’ve seen.”

WhatsApp has released a new version of the app containing a fix.

The spyware did not directly affect the end-to-end encryption that makes WhatsApp chats and calls private. It merely used a bug in the WhatsApp software as an infection vehicle. The malware allows spies to effectively take control of a phone — remotely and surreptitiously controlling its cameras and microphones and vacuuming up personal and location data. Encryption is worthless once a phone’s operating system has been violated.

Hackers are always looking for flaws in apps and operating systems that they can exploit to deliver spyware. State-run intelligence agencies including the U.S. National Security Agency invest tens of millions of dollars on it. Indeed, Google’s ProjectZero bug-hunting team scoured WhatsApp last year looking for vulnerabilities but did not find any. Instead, it was WhatsApp’s security team that found the flaw.

MORE

 

Microsoft offers software tools to secure elections

May 6, 2019

By FRANK BAJAK

Microsoft has announced an ambitious effort to make voting secure, verifiable and subject to reliable audits by registering ballots in encrypted form so they can be accurately and independently tracked long after they are cast.

Two of the three top U.S elections vendors have expressed interest in potentially incorporating the open-source software into their voting systems.

The software is being developed with Galois, an Oregon-based company separately creating a secure voting system prototype under contract with the Pentagon’s advanced research agency, DARPA. Dubbed “ElectionGuard,” it will be available this summer, Microsoft says, with early prototypes ready to pilot for next year’s U.S. general elections.

CEO Satya Nadella announced the initiative Monday at a developer’s conference in Seattle, saying the software development kit would help “modernize all of the election infrastructure everywhere in the world.”

Three little-known U.S. companies control about 90 percent of the market for election equipment, but have long faced criticism for poor security, antiquated technology and insufficient transparency around their proprietary, black-box voting systems.

Open-source software is inherently more secure because the underlying code is easily scrutinized by outside experts but has been shunned by the dominant vendors whose customers — the nation’s 10,000 election jurisdictions — are mostly strapped for cash.

None offered bids when Travis County, Texas, home to Austin, sought to build a system with the “end-to-end” verification attributes that ElectionGuard promises to deliver.

MORE

 

How Facebook stands to profit from its ‘privacy’ push

March 8, 2019

By FRANK BAJAK

At first glance, Mark Zuckerberg’s new ”privacy-focused vision ” for Facebook looks like a transformative mission statement from a CEO under pressure to reverse years of battering over its surveillance practices and privacy failures.

But critics say the announcement obscures Facebook’s deeper motivations: To expand lucrative new commercial services, continue monopolizing the attention of users, develop new data sources to track people and frustrate regulators who might be eyeing a breakup of the social-media behemoth.

Facebook “wants to be the operating system of our lives,” said Siva Vaidhyanathan, director of media studies at the University of Virginia.

zuck hearing

Zuckerberg’s plan, outlined Wednesday, expands Facebook’s commitment to private messaging, in sharp contrast with his traditional focus on public sharing. Facebook would combine its instant-messaging services WhatsApp and Instagram Direct with its core Messenger app so that users of one could message people on the others, and would expand the use of encrypted messaging to keep outsiders — including Facebook — from reading the messages.

The plan also calls for using those messaging services to expand Facebook’s role in e-commerce and payments. A Facebook spokesperson later said it was too early to answer detailed questions about the company’s messaging plans.

Vaidhyanathan said Zuckerberg wants people to abandon competing, person-to-person forms of communication such as email, texting and Apple’s iMessage in order to “do everything through a Facebook product.” The end goal could be transform Facebook into a service like the Chinese app WeChat , which has 1.1 billion users and includes the world’s most popular person-to-person online payment system.

MORE

 

Ahead of court ruling, Census Bureau seeks citizenship data

March 7, 2019

By GARANCE BURKE and FRANK BAJAK

As the U.S. Supreme Court weighs whether the Trump administration can ask people if they are citizens on the 2020 Census, the Census Bureau is quietly seeking comprehensive information about the legal status of millions of immigrants.

Under a proposed plan, the Department of Homeland Security would provide the Census Bureau with a broad swath of personal data about noncitizens, including their immigration status, The Associated Press has learned. A pending agreement between the agencies has been in the works since at least January, the same month a federal judge in New York blocked the administration from adding the citizenship question to the 10-year survey.

On Wednesday, a federal judge in California also declared that adding the citizenship question to the Census was unconstitutional, saying the move “threatens the very foundation of our democratic system.”

The data that Homeland Security would share with Census officials would include noncitizens’ full names and addresses, birth dates and places, as well as Social Security numbers and highly sensitive alien registration numbers, according to a document signed by the Census Bureau and obtained by AP.

Such a data dump would be apparently unprecedented and give the Census Bureau a view of immigrants’ citizenship status that is even more precise than what can be gathered in door-to-door canvassing, according to bureau research.

Supreme Court Census

 

Experts: US anti-Huawei campaign likely exaggerated

February 28, 2019

By FRANK BAJAK

Since last year, the U.S. has waged a vigorous diplomatic offensive against the Chinese telecommunications giant Huawei, claiming that any nation deploying its gear in next-generation wireless networks is giving Beijing a conduit for espionage or worse.

But security experts say the U.S. government is likely exaggerating that threat. Not only is the U.S. case short on specifics, they say, it glosses over the fact that the Chinese don’t need secret access to Huawei routers to infiltrate global networks that already have notoriously poor security.

State-sponsored hackers have shown no preference for one manufacturer’s technology over another, these experts say. Kremlin-backed hackers, for instance, adroitly exploit internet routers and other networking equipment made by companies that are not Russian.

If the Chinese want to disrupt global networks, “they will do so regardless of the type of equipment you are using,” said Jan-Peter Kleinhans, a researcher at the Berlin think tank Neue Verantwortung Stiftung.

One of the most common U.S. fears — that Huawei might install software “backdoors” in its equipment that Chinese intelligence could use to tap into, eavesdrop on or interrupt data transmissions — strikes some experts as highly unlikely.

Priscilla Moriuchi, who retired from the National Security Agency in 2017 after running its Far East operations, does not believe the Huawei threat is overblown. But she called the odds of the company installing backdoors on behalf of Chinese intelligence “almost zero because of the chance that it would be discovered,” thus exposing Huawei’s complicity.

MORE