Someone finally made an app to detect credit card skimmers at the gas pump

Someone finally made an app to detect credit card skimmers at the gas pump

In less than 30 seconds a hacker can install a $10 piece of pre-built hardware – easily purchased online – into a gas pump. This device is called a skimmer and it’s designed to get your credit card number when you use it at the pump.

A clever developer came up with a somewhat simple approach to protecting yourself at the gas station. The CEO and Founder of SparkFun, Nate Seidle, along with programmer Nick Poole, built a free, open-source Android app to detect popular skimmers.

The app detects a specific Bluetooth signal and, if found, it tries to establish a connection and send a command that will verify the existence of a skimmer in your general area. The app is looking for Bluetooth networks with an ID of HC-05, which turned out to be the default on devices Seidle tested; if it finds one you’ll be alerted.

SparkFun’s Bluetooth device-detecting app is called Skimmer Scanner and it’s a bare-bones tool that appears to work as intended. It’s free and open-source and the developer says it doesn’t keep or record any information.

In a fantastic blog post detailing a complete dissection of several of the devices, Seidle explains that most of the criminals are dealing in bulk:

The designers of this skimmer were smart, it’s better to make these devices easy to connect to than to add a layer of security. What’s the worst that could happen? The device is detected and removed from the pump. Meanwhile, 10 more have been deployed for a total cost of $100.

The only tool necessary is a key to unlock the pump. The locks are basic and there are no more than a few different key designs for all gas pumps – master keys for the model.

This isn’t new; for decades, criminals have been using various computer hardware devices to intercept credit card numbers during transactions. But hardware hacking is no longer the domain of only talented – albeit shady – individuals. It’s the purview of anyone with a laptop, a car, and the stolen credit card information necessary to buy an easily made piece of hardware online.

While I haven’t had the opportunity to ride around looking for skimmers yet, I can happily confirm that there are no skimmers scamming in my office.


via:  thenextweb

Save pagePDF pageEmail pagePrint page

EC-Council Announces the World’s First Fully Proctored Hands-On Penetration Testing Exam

EC-Council today announced the release of the new, fully-proctored Licensed Penetration Tester (LPT) certification, which will be launched at Hacker Halted, 2017. The new LPT (Master) certification exam is the first globally accepted, hands-on penetration testing certification exam administered in a fully proctored environment.

EC-Council today announced the release of the new, fully-proctored Licensed Penetration Tester (LPT) certification, which will be launched at Hacker Halted, 2017. The new LPT (Master) certification exam is the first globally accepted, hands-on penetration testing certification exam administered in a fully proctored environment.

Penetration testing professionals around the world will be able validate their skills in this new exam format launched by EC-Council. The new LPT (Master) certification exam will be delivered as a secure, fully-proctored, live certification test that can be taken anytime, anywhere by busy professionals.

Jay Bavisi, the president and CEO of EC-Council, commented “With the increase in the sophistication of cyber-attacks and with ever growing security needs, today’s digital enterprises are looking for experts that have proven abilities to function as competent penetration testers in order to secure their operations. The fully proctored, hands-on LPT (Master) certification exam combines effectiveness with convenience to deliver a highest standard of exam that enables the candidates to demonstrate expertise in applying their skills in a hands-on environment.”

The exam provides a level playing field where candidates are challenged to prove their skills as expert-level penetration testers. Bavisi added, “In the real world, penetration testers go through a strenuous, arduous and laborious process to keep their clients and organizations secure. This exam is meant to mimic the real-world environment and is meant to stress, burden and ardently push the candidates to their limits to test their actual abilities in penetration testing.”

The new LPT (Master) certification is the crown jewel of the EC-Council penetration testing track. It challenges candidates through a grueling 18 hours of hands-on exam categorized into three practical tests for six hour intervals, each of which provide a multidisciplinary approach for targeting and compromising high security environments. Upon completion of the exam, candidates will have to demonstrate an advanced understanding of testing modern infrastructures by completing a professional penetration test report to be evaluated by EC-Council experts for completeness and professionalism. For more information, please contact Saba.Mohammad(at)

About EC Council:
EC-Council has been the world’s leading information security certification body since the launch of their flagship program, Certified Ethical Hacker (CEH), which created the ethical hacking industry in 2002. Since the launch of CEH, EC-Council has added industry-leading programs to their portfolio to cover all aspects of information security including EC-Council Certified Security Analyst (ECSA), Computer Hacking Forensics Investigator (CHFI), Certified Chief Information Security Officer (CCISO), among others. EC-Council Foundation, the non-profit branch of EC-Council, created Global CyberLympics, the world’s first global hacking competition. EC-Council Foundation also hosts a suite of conferences across the US and around the world including Hacker Halted, Global CISO Forum, TakeDownCon, and CISO Summit.

For more information about EC-Council, please see


via:  rweb

Save pagePDF pageEmail pagePrint page

Slow breach detection, patching, operational snags handcuff healthcare security

It’s still taking many healthcare organizations far too long to discover a breach — much longer than in other sectors.

When it comes to healthcare security, security experts would rank the industry in the middle or toward the lower end of the pack, according to a panel of security leaders at Monday’s Healthcare Security Forum.

That because it’s still taking many healthcare organizations far too long to discover a breach — much longer than in other sectors, according to BitSight Technologies Co-founder And Chief Technical Officer Stephen Boyer.

According to Boyer, healthcare is in the middle and needs to work on remediating systems and improving patching and blocking policies. And its users are only amplifying risks by falling victim to malicious attacks.

Chief Information Security Officer of Christiana Care Health System Anahi Santiago would rank healthcare even lower, as the industry struggles with operational challenges. The need for accessibility in healthcare can prove challenging when it comes to the security team applying updates and patches.

“The threat landscape keeps getting worse and worse, and we can’t work at the rate the bad guys are moving,” said Santiago. “I think the industry is going to go backwards before it moves forward.”

Part of the problem is that healthcare is missing critical components — including IT and security hygiene, said VMware Senior Healthcare Strategist Chris Logan.

“Why are we still, in this day and age, with all of our high-tech information still missing the user?” said Logan. “We need to educate the user: enable them to do the right thing to get back to security hygiene.”

Penn Medicine CISO Dan Costantino finds the issue with healthcare’s security can boil down to culture. Much like Santiago, Costantino said that healthcare security will take a large step backward before it goes forward, as healthcare is a “reactionary culture.”

“The culture and mindset of being proactive is just foreign to so many levels of healthcare,” said Costantino. “So many departments are struggling now: something major is going to have to happen for that culture to shift.”

And the need for the shift will only increase as threats continue to become more sophisticated and prolific.

For Santiago, the greatest threat is the “speed of which we’re adopting tech and the fact that as security professionals, we need to keep up with that pace.”

This includes not only threats on the network, but the devices given to patients to take home, Santiago said. But her biggest fear is the vulnerability of systems and the potential inability to care for patients.

“There are so many different threats that can happen in a health system. And if we can’t take care of patients, we’re not doing what we set forth to do,” said Santiago.

Another less visible issue is asset management. According to Boyer, it’s a big challenge for IoT. There are millions of orphaned devices and millions of vulnerable devices that aren’t managed or tracked.

To get healthcare up to speed on its security needs, Logan said that security teams need to keep having those tough conversations up the chain of the organization.

“The patient is relying on you to have that conversation: Do what you have to do within your organization to make sure the risks are mitigated,” said Logan.

Costantino agreed: It’s all about people. But the issue is the story organizations are telling — aren’t right.

“Some security teams and system admins think end users are stupid. But that’s not the case,” said Costantino. “It’s that people don’t think about security the way you do. If you look at your policies, you can see why people act the way they do.”

“At the end of the day, it’s a business-level effort,” he said.


via:  healthcareitnews

Save pagePDF pageEmail pagePrint page

Governments turn tables by suing public records requesters

An Oregon parent wanted details about school employees getting paid to stay home. A retired educator sought data about student performance in Louisiana. And college journalists in Kentucky requested documents about the investigations of employees accused of sexual misconduct.

Instead, they got something else: sued by the agencies they had asked for public records.

Government bodies are increasingly turning the tables on citizens who seek public records that might be embarrassing or legally sensitive. Instead of granting or denying their requests, a growing number of school districts, municipalities and state agencies have filed lawsuits against people making the requests — taxpayers, government watchdogs and journalists who must then pursue the records in court at their own expense.

The lawsuits generally ask judges to rule that the records being sought do not have to be divulged. They name the requesters as defendants but do not seek damage awards. Still, the recent trend has alarmed freedom-of-information advocates, who say it’s becoming a new way for governments to hide information, delay disclosure and intimidate critics.

“This practice essentially says to a records requester, ‘File a request at your peril,’” said University of Kansas journalism professor Jonathan Peters, who wrote about the issue for the Columbia Journalism Review in 2015, before several more cases were filed. “These lawsuits are an absurd practice and noxious to open government.”

Government officials who have employed the tactic insist they are acting in good faith. They say it’s best to have courts determine whether records should be released when legal obligations are unclear — for instance, when the documents may be shielded by an exemption or privacy laws.

At least two recent cases have succeeded in blocking information while many others have only delayed the release.

State freedom-of-information laws generally allow requesters who believe they are wrongly denied records to file lawsuits seeking to force their release. If they succeed, government agencies can be ordered to pay their legal fees and court costs.

Suing the requesters flips the script: Even if agencies are ultimately required to make the records public, they typically will not have to pay the other side’s legal bills.

“You can lose even when you win,” said Mike Deshotels, an education watchdog who was sued by the Louisiana Department of Education after filing requests for school district enrollment data last year. “I’m stuck with my legal fees just for defending my right to try to get these records.”

The lawsuit argued that the data could not be released under state and federal privacy laws and initially asked the court to order Deshotels and another citizen requester to pay the department’s legal fees and court costs. The department released the data months later after a judge ruled it should be made public.

Deshotels, a 72-year-old retired teachers’ union official who authors the Louisiana Educator blog, had spent $3,000 fighting the lawsuit by then. He said the data ultimately helped show a widening achievement gap among the state’s poorest students, undercutting claims of progress by education reformers.

The lawsuits have been denounced by some courts and policymakers. A New Jersey judge in 2015 said they were the “antithesis” of open-records policies and dismissed a case filed by a township against a person who requested police department surveillance video footage.

In Michigan, the state House voted 108-0 earlier this year in favor of a bill that would make it illegal for agencies to sue public records requesters. The proposal came in response to a county’s lawsuit against a local newspaper that had sought the personnel files of two employees running for sheriff. A judge dismissed the lawsuit, saying the county had to approve or deny the request.

The documents, ultimately released days before the election, showed that one of the candidates had been disciplined for carrying on an affair while on-duty in 2011. That candidate lost.

The Michigan bill’s sponsor, Republican Rep. Klint Kesto, called the tactic “a backdoor channel to delay and put pressure on the requester” that circumvents the state’s Freedom of Information Act.

“Government shouldn’t file a lawsuit and go on offense. Either approve the request or deny it,” he said. “This shouldn’t be happening anywhere in the country.”

As his bill remains pending in a state Senate committee, Michigan State University filed a lawsuit May 1 against ESPN after the network requested police reports related to a sexual assault investigation involving football players. That and a number of other cases are currently unfolding.

In April, the Portland, Oregon, school district filed a lawsuit against parent Kim Sordyl, who is seeking records about employees on leave for alleged misconduct after the disclosure that one psychologist had been off for three years. Sordyl said she believes the information will expose costly missteps by district human resources officials and lawyers, and the district attorney has already ordered the records to be released.

“They are going to great lengths to protect themselves and their own mismanagement. This is retaliation,” said Sordyl, who has hired an attorney. “Most people would give up.”

A district spokesman said the lawsuit, which also names a journalist who requested similar information, amounts to an appeal “in an area of public records law that we believe lacks clarity.”

“When this information is released prematurely, the district’s position is that the employees’ right to due process is jeopardized,” spokesman Dave Northfield said.

The University of Kentucky prevailed in January when a judge blocked the release of records sought by its student newspaper detailing the investigation of a professor who resigned after being accused of groping students.

The judge agreed with the university that the records would violate the privacy rights of students who were victims even if their names were redacted.

While that ruling is on appeal, Western Kentucky University filed a similar lawsuit against its paper, the College Heights Herald, which sought records related to allegations of sexual harassment and assault involving employees. Several other state universities released similar documents to the newspaper, and the state attorney general has ruled that they are public records.

“It’s not a good feeling knowing that we are being sued,” said Herald editor-in-chief Andrew Henderson, whose publication has been raising money to pay legal fees. “I just hope that something beneficial comes out of all of this for everyone involved.”


via:  apnews

Save pagePDF pageEmail pagePrint page

Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads — 2.3 Million Infected

Users of Avast-owned security application CCleaner for Windows have been advised to update their software immediately, after researchers discovered criminal hackers had installed a backdoor in the tool. The tainted application allows for download of further malware, be it ransomware or keyloggers, with fears millions are affected. According to Avast’s own figures, 2.27 million ran the affected software, though the company said users should not panic.

The affected app, CCleaner, is a maintenance and file clean-up software run by a subsidiary of anti-virus giant Avast. It has 2 billion downloads and claims to be getting 5 million extra a week, making the threat particularly severe, researchers at Cisco Talos warned. Comparing it to the NotPetya ransomware outbreak, which spread after a Ukrainian accounting app was infected, the researchers discovered the threat on September 13 after CCleaner 5.33 caused Talos systems to flag malicious activity.

Further investigation found the CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software.

CCleaner Windows app infected

Cisco Talos


The CCleaner app, designed to help users carry out good cyber hygiene, was itself infected.

The malware would send encrypted information about the infected computer – the name of the computer, installed software and running processes – back to the hackers’ server. The hackers also used what’s known as a domain generation algorithm (DGA); whenever the crooks’ server went down, the DGA could create new domains to receive and send stolen data. Use of DGAs shows some sophistication on the part of the attackers.

Downplaying the threat?

CCleaner’s owner, Avast-owned Piriform, has sought to ease concerns. Paul Yung, vice president of product at Piriform, wrote in a post Monday: “Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.

“The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker.

“Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”

Not all are convinced by the claims of Piriform, acquired by Avast in July. “I have a feeling they are downplaying it indeed,” said Martijn Grooten, editor of security publication Virus Bulletin. Of the Piriform claim it had no evidence of much wrongdoing by the hacker, Grooten added: “As I read the Cisco blog, there was a backdoor that could have been used for other purposes.

“This is pretty severe. Of course, it may be that they really only stole … ‘non-sensitive data’ … but it could be useful in follow-up targeted attacks against specific users.”

In its blog, Talos’ researchers concluded: “This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates.”


Avast CTO: No need to panic


Avast chief technology officer Ondrej Vlcek said there was, however, little reason to panic. He told Forbes the company used its Avast security tool to scan machines on which the affected CCleaner app was installed (in 30 per cent of Avast installs, CCleaner was also resident on the PC). That led to the conclusion that the attackers hadn’t launched the second phase of their attack to cause more harm to victims.

“2.27 million is certainly a large number, so we’re not downplaying in any way. It’s a serious incident. But based on all the knowledge, we don’t think there’s any reason for users to panic,” Vlcek added. “To the best of our knowledge, the second-stage payload never activated… It was prep for something bigger, but it was stopped before the attacker got the chance.” He said Cisco Talos wasn’t the first to notify Avast of the issues, another unnamed third party was.

It’s unclear just who was behind the attacks. Yung said the company wouldn’t speculate on how the attack happened or possible perpetrators. For now, any concerned users should head to the Piriform website to download the latest software.


via:  forbes

Save pagePDF pageEmail pagePrint page

Verizon Is Booting 8,500 Rural Customers Over Data Use, Including Some on ‘Unlimited’ Plans

Verizon has decided to abruptly cut off wireless internet to some 8,500 rural customers in 13 states, saying their heavy data use had made it impossible to profit off of the accounts—even though many of the users had purchased unlimited plans.

“Approximately 8,500 customers—using a variety of plans—were notified this month that we would no longer be their service provider after October 17th, 2017,” Verizon corporate communications director Kelly Crummey told BGR. “These customers live in 13 states (Alaska, Idaho, Iowa, Indiana, Kentucky, Maine, Michigan, Missouri, Montana, North Carolina, Oklahoma, Utah and Wisconsin) and in areas outside of where Verizon operates our own network.”

Letters Verizon is sending to the affected customers are blunt, to say the least.

“During a recent review of customer accounts, we discovered you are using a significant amount of data while roaming off the Verizon Wireless network,” Verizon wrote, according to Ars Technica. “While we appreciate you choosing Verizon, after October 17th, 2017, we will no longer offer service for the numbers listed above since your primary place of use is outside the Verizon service area.”

No option to continue, with or without reducing use of mobile data, was given.

Per BGR, the issue stems from Verizon’s LTEiRA program, in which the company pairs with 21 regional carriers to provide mobile access to rural regions. Verizon users get to jump on board those regional networks whenever they want, though when they use roaming data Verizon is responsible for paying the carriers’ fees.

While Verizon says some of the users were using as much as a terabyte of data monthly, one family reported they had been using less than 50 gigabytes of data across four lines every month on an unlimited data plan.

“Now we are left with very few choices, none of them with good service,” a member of the family told Ars Technica. “I guess small-town America means nothing to these people. It’s OK—though I live in a small town, I know a lot of people, and I’m telling every one of them to steer clear of Verizon.”

Verizon’s decision has ramifications for the regional carriers as well, which say the company encouraged them to build infrastructure to expand their service areas but is now backing out on the deal.

Though US telecoms have long gotten away with the digital equivalent of murder while providing terrible service, Verizon’s decision is particularly ominous given it could soon be given free license to treat rural customers even more poorly. The Federal Communications Commission and its Donald Trump-appointed chairman Ajit Pai have recently sought to slash the agency’s standards for what it considers acceptable access to broadband, including by allowing service providers to pass off mobile service as a replacement for home internet—a decision that would disproportionately impact poor Americans.


via:  gizmodo

Save pagePDF pageEmail pagePrint page

Microsoft’s Azure ‘Confidential Computing’ Encrypts Data in Use

Early Access program under way for new Azure cloud security feature.

Microsoft is ramping up Azure data security with encryption of data while in use, a protection so far absent from the public cloud, the company announced today.

The new collection of features and services, called Azure “confidential computing,” is the product of joint collaboration among the Azure team, Microsoft Research, Windows, its Developer Tools group, and Intel, all of which have been building the technology for over four years. Microsoft is making the new features available to users via an Early Access program.

Confidential computing lets users process data in the cloud, knowing it’s under their control. The new Azure update arrives at a time when data breaches regularly make headlines and attackers find new ways to steal personally identifiable information (PII), financial data, and intellectual property.

Many businesses hesitate to move sensitive data to the cloud for fear it will be compromised while in use.

“While many breaches are the result of poorly configured access control, most can be traced to data that is accessed while in use, either through administrative accounts, or by leveraging compromised keys to access encrypted data,” says Azure CTO Mark Russinovich in a blog post.

Data has to be “in the clear” for efficient processing. In confidential computing, it’s stored inside a Trusted Execution Environment (TEE). This ensures data and operations cannot be viewed from the outside, even if the attacker is using a debugger.

Microsoft uses enclaves to protect data in SQL Server, its own infrastructure, and blockchain financial operations, a technology known as the Coco Framework. The same tech will be applied to bring encryption-in-use to Azure SQL Database and SQL Server. This builds on the Always Encrypted capability, which encrypts sensitive data in an SQL database at all times by assigning computations on sensitive data to an enclave, where it is decrypted and processed.

Only authorized code is allowed to access the data inside an enclave. And if an attacker tries to manipulate the code, Azure denies the operations and disables the environment. TEE maintains this level of protection for as long as the code inside it is executed.

Microsoft says the ability to protect data in use can safeguard information from specific threats such as malicious insiders with administrative privilege or access to the hardware on which it’s processed. Confidential computing also protects against third parties accessing data without the owner’s consent, and malware designed to exploit bugs in the application, OS, or hypervisor, Microsoft says.

The platform Microsoft is building as part of confidential computing will let developers use multiple TEEs without requiring them to change code. At first Azure will support two: software-based Virtual Secure Mode (VSM) and hardware-based Intel SGX.

VSM is an enclave implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code from running on a computer or server. Local and cloud-service administrators cannot see the contents in, or change the execution of, the VSM enclave.

The Intel SGX TEE has the first SGX-capable servers in the public cloud. Users will be able to leverage SGX enclaves if they don’t want their trust model to include Azure or Microsoft. Microsoft is working with both Intel and other partners to create and support more TEEs.

Microsoft foresees application of confidential computing in industries including finance, healthcare, and artificial intelligence. “In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE,” says Russinovich.


via:  darkreading

Save pagePDF pageEmail pagePrint page


Delta Basic Economy fares permit a larger carry-on bag, so the focus of this story is on American Airlines and United. If you think you can slip by undetected with you rollerboard, be prepared to pay up and lose every penny you saved by buying a Basic Economy fare in the first place.

Let’s first note that both American and United offer exceptions to their “no overhead bin space” Basic Economy policy. Should you have hold an airline-branded credit card, you can take a larger carry-on bag. If you have elite status, you can also take a larger carry-on bag onboard.

But if you don’t qualify for either exception, you’re not going to like the outcome if you’re caught at the gate. On both American and United, it is $25 to check a bag. But if you’re on a Basic Economy fare and you get caught at the gate, your fee is $50. Why? A $25 fee.

United calls it a gate-handling charge. American labels it a gate-service fee. It’s really a penalty on top of a fee.

Unlike others, who can check their bag without cost to their final destination if overhead bin space runs out, the very point of Basic Economy is to help avoid this problem in the first place. That means if you get caught with a bag, you are going to have to pay up.

A Painful Example

United does not allow online or mobile check-in if you purchase a Basic Economy fare and do not pay for a bag. While I’m sure that alleviates the issue for some, it is easy enough for a pair traveling together to take turns checking in while the other stands at a distance with both carry-on bags.

Vishnu Bhargava and his wife were flying on United from San Francisco to Boston in late July and didn’t notice the conditions of Basic Economy tickets. He checked in the night before, paid for one checked bag and planned to bring two carry-ons. He didn’t read the small print.

When they got to the gate, they were told their carry-on bags would have to be checked. His cost $50—the standard bag fee plus the gate handling charge. His wife’s was $60, since she had already checked one bag. United charges $35 for a second bag, plus the extra fee.

“I was shocked,” says Mr. Bhargava, a retired physician from India. “Whatever I saved with Basic Economy, I had to pay more. This fee is not at all fair.”

Oh, it’s fair. It may be stupid, but it’s certainly fair. As long as it was clearly disclosed, which leads me to my final point.

Disclosure Problems

When you buy a Basic Economy fare on, the restrictions could not be clearer. But when buying on many online travel agencies, the prohibitions are not clearly disclosed. Airlines must work with these travel agencies to ensure the restrictions on such fares are transparent. Otherwise, consumers have a right to get angry.


This reminds me of fare dodging on the trains in Germany, all of which run on an honor system. Sometimes you can get away without buying a ticket, but get caught and you’ll be slapped with an 80EUR fine…probably eating up all your cost savings and more.

If you’re going to buy a Basic Economy ticket on American or United and don’t qualify for a larger carry-on, check it before or leave it at home. If you get caught not only will you be paying more than a regular economy class fare…it will be embarrassing.


via:  liveandletsfly

Save pagePDF pageEmail pagePrint page

FCC chairman voted to sell your browsing history; so we asked to see his

Thanks to the FCC chairman, internet providers can now sell Americans’ browsing histories for targeted advertising. ZDNet thought it was only fair to see his — so, we filed a Freedom of Information request.

he Federal Communications Commission has refused to turn over the internet browsing history of its chairman Ajit Pai, weeks after he rolled back rules that prevented internet providers from selling the browsing histories of millions of Americans.

In a response to a request filed by ZDNet under the Freedom of Information Act, the agency said Friday that it had “no responsive documents” to our request. The agency cited a similar decision filed with Homeland Security that found that the law doesn’t require a government agency to create a record in response to a request.

Specifically, we asked for the “web browsing history of all web and mobile browsers used by Ajit Pai on any government network or account,” from the date that the rules were formally revoked by Congress in late March.

The response from the FCC said: “Here, the agency does not have a record that reflects the Chairman’s web browsing history.”

In other words, Pai voted to allow internet providers to turn over your browsing history, but won’t let anyone see his.

Earlier this year, Pai launched his effort to roll back the Obama-era rules that toughened up privacy protections for every American with an internet connection.

But the rule rollback was met with considerable controversy and anger from privacy and rights groups, for fear that internet providers like AT&T, Comcast, and Verizon would be able to gather and sell data about your browsing history to marketers and other companies, including information on customer location, as well as as financial or health status information, and what people shop and search for.

AT&T, Comcast, and Verizon have all said they don’t collect personal information unless customers allow it or share it with third-parties. Critics noted that the named three don’t need the FCC rules to share customer data because they already operate their own advertising networks.

Following the FCC’s rollback, Congress had to vote to approve the changes into law. The measure was passed by the Senate, and later the House.

Though the telecoms and internet provider lobby was largely behind the effort to roll back the rules, it remains unclear how ordinary consumers benefit, if at all, from the changes.

When pressed by reporters, Marsha Blackburn (R-TN, 7th), the sponsor for the House bill, couldn’t say how her bill helps anyone other than the telecoms lobby. According to online publication Vocativ, Blackburn also received over $693,000 in campaign contributions from the telecoms lobby over her 14-year congressional career.

As a member of Congress, Blackburn is exempt from Freedom of Information requests.

You can read the full letter from the FCC below.

Federal Communications Commission
Washington, D.C. 20554

May 12, 2017
Mr. Zack Whittaker
28 B. 28th Street
10th Floor
New York, New York 10016

Re: FOIA Control No. 2017-000501

Dear Mr. Whittaker:

This is in response to your Freedom of Information Act (FOIA) request filed on
March 31, 2017, seeking "[t]he web browsing history of all web and mobile browsers
used by Ajit Pai, chairman of the Federal Communications Commission, on any
government network or account for the week beginning Tuesday, March 29[, 2017].(1)
The due date for FOIA 2017-501 is May 12, 2017(2) We are responding to you by this
deadline. As we explain in more detail below, we have no responsive documents to your

As court precedents make clear, the FOIA does not require an agency to create a
record to respond to a FOIA request.(3) Here, the agency does not have a record that
reflects the Chairman's web browsing history. As the Department of Homeland Security
(DHS) found in response to a similar request, "internet browser history. . . files are
presumably constantly changing, machine-readable files (not likely discrete 'documents'
separate from the given web browsing program used) that were automatically generated
based on the particular user's activity."(4) We agree with DHS that an agency is not
required to generate a discrete document that would reflect the internet browser history of
a certain time period or extract the residual data files automatically maintained by the

(1) See FOIAonline (FOIA Request 2017-000501 (submitted and perfected Mar. 31, 2017)).
(2) See email from Joanne Wall to Zack Whittaker (Apr. 27, 2017) (because of the need to consult with
multiple offices within the Commission, the Office of General Counsel extended the date for responding to
the FOIA request to May 12, 2017, pursuant to 47 C.F.R. § 0.461(g)(1)(i)).
(3)See Pollv. US. Office of Special Counsel, No. 99-402 1, 2000 WL 14422, at *5 n.2 (10th Cir. Jan. 10,
2000) (recognizing that FOIA does not require an agency "to create documents or opinions in response to
an individual's request for information") (quoting Hudgins v. IRS, 620 F.Supp. 19, 21 (D.D.C. 1985), affd,
808 F.2d 137 (D.C. Cir. 1987)).

(4)Letter from Curtis E. Renoe, Attorney Advisor, Office of the Administrative Law Judge, United States
Coast Guard, U.S. Dep't of Homeland Security (DHS), to Jason Smathers, MuckRock News, DHS Appeal
Number 2014-HQAP-00068 at 3-4 (July 18, 2014).

(5)1d. 3-4.

Pursuant to section 0.466(a)(5)-(7) of the Commission's rules, you have been
classified for fee purposes as category (2), "educational requesters, non-commercial
scientific organizations, or representatives of the news media."(6) As an "educational
requester, non-commercial scientific organization, or representative of the news media,
the Commission assesses charges to recover the cost of reproducing the records
requested, excluding the cost of reproducing the first 100 pages. We did not reproduce
any records and you will therefore not be charged any fees.

If you consider this to be a denial of your FOIA request, you may seek review by
filing an application for review with the Office of General Counsel. An application for
review must be received by the Commission within 90 calendar days of the date of this
letter.(7) You may file an application for review by mailing the application to the Federal
Communications Commission, Office of General Counsel, 445 12t1 St. SW, Washington,
DC 20554, or you may file your application for review electronically by e-mailing it to Please caption the envelope (or subject line, if via e-mail) and
the application itself as "Review of Freedom of Information Action."

If you would like to discuss this response before filing an application for review
to attempt to resolve your dispute without going through the appeals process, you may
contact the Commission's FOIA Public Liaison for assistance at:

FOIA Public Liaison
Federal Communications Commission, Office of the Managing Director,
Performance Evaluation and Records Management
44 l2 St., SW, Washington, DC 20554

If you are unable to resolve your FOIA dispute through the Commission's FOJA
Public Liaison, the Office of Government Information Services (OGIS), the Federal
(6) 47 C.F.R. § 0.466(a)(5)-(7).
(7) See 47 C.F.R. § 0.461(j), 1.115; 47 C.F.R. § 1.7 (documents are considered filed with the Commission
upon their receipt at the location designated by the Commission).
FOJA Ombudsman's office, offers mediation services to help resolve disputes between
FOIA requesters and Federal agencies. The contact information for OGIS is:

Office of Government Information Services
National Archives and Records Administration
8601 Adeiphi Road-OGIS
College Park, MD 20740-600 1

cc: FOIA Officer

via:   zdnet


Save pagePDF pageEmail pagePrint page

Equifax confirms Apache Struts security flaw it failed to patch is to blame for hack

The company said the March vulnerability was exploited by hackers.


Equifax has confirmed that a web server vulnerability in Apache Struts that it failed to patch months ago was to blame for the data breach that affected 143 million consumers.

In a brief statement, the credit rating giant said:

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted.”

“We know that criminals exploited a U.S. website application vulnerability,” the statement added.

“The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

For its part, Equifax still has not provided any evidence to support the claim.

The cited Apache Struts flaw dates back to March, according to a public vulnerability disclosure. Patches were released for the vulnerability, suggesting that Equifax did not install the security updates.

Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications, including Equifax’s public website.

Earlier, unconfirmed reports had pointed to Struts as the root of the cyber attack. At least one of the reports, citing a research analyst from equity research firm Baird, was subsequently retracted.

The Apache Foundation, which maintains the Apache web software, said days ago in response to media reports — prior to any confirmation from the company — that at the time it was not clear if Struts was to blame for the cyber attack.

The company is said to have enlisted FireEye-owned Mandiant for its incident recovery.

Despite several requests over the past week, the company has not answered specific questions or responded to requests for comment.


via:  zdnet

Save pagePDF pageEmail pagePrint page