Home Tags Celebrities

Tag: celebrities

YouTube taps creators, celebrities for new original shows on ad-supported site

Fitness with Kevin Hart, behind-the-scenes with Ellen, and more.

Pawn Storm targets fresh victims to sway public political opinion

The sophisticated attackers are putting more and more pressure on the military, governments, celebrities and media worldwide.

NASA has essentially stopped tweeting about the #JourneyToMars

It seems unlikely any directive has come down from the Trump administration.

Dissecting Malware

From March 30 through April 2, 2017, one of them — Principal Security Researcher at Kaspersky Lab Nicolas Brulez — will deliver a course on the subject he has been training people around the world on for 12 years, malware reverse engineering.

‘Celebgate’ nudes thief gets just nine months of porridge

I was addicted to porno, says chap who nicked compromising photos of 300 people An American bloke has been jailed for breaking into the online accounts of 30 or so celebrities (and 270 other people) and swiping their most intimate snaps and secrets. Edward Majerczyk, 29, of Orland Park, Illinois, sent out hundreds of messages masquerading as legit emails from Apple and Google technical support.

These fake alerts convinced victims to type their usernames and passwords into a website controlled by the miscreant, allowing him to ransack their iCloud and Gmail accounts. Majerczyk, the son of two retired Chicago cops, was eventually collared by FBI agents probing "Celebgate" – the moment in 2014 when private nude photos of Kate Upton, Jennifer Lawrence, Ariana Grande and other stars were splashed on 4Chan and Reddit.

The pictures and videos were stolen from the victims' cloud accounts. During questioning, Majerczyk told the Feds he just wanted to "see things through other people's eyes." In a deal with prosecutors last July, he pleaded guilty to one count of unauthorized access to a protected computer to obtain information. “[Majerczyk] not only hacked into email accounts – he hacked into his victims’ private lives, causing embarrassment and lasting harm,” said the FBI's Deirdre Fike. “As most of us use devices containing private information, cases like this remind us to protect our data. Members of society whose information is in demand can be even more vulnerable, and directly targeted.” In addition to his sentence, handed down on Tuesday this week, Majerczyk was ordered to pay $5,700 to foot one celebrity victim's therapy bills.

The FBI also confiscated the hacker's Gateway computer, another desktop system, his iPhone, and various items of storage media. "At the time of the offense, Mr Majerczyk was suffering from depression and looked at pornography websites and internet chat rooms in an attempt to fill some of the voids and disappointments he was feeling in his life," his lawyer, Thomas Needham, told the court [PDF]. "After accessing the personal information and photographs for his personal viewing, he learned that others were distributing these private images on the internet. Mr Majerczyk did not realize the extent of this crime and was deeply affected by it. He immediately began seeing a therapist." According to his lawyer, there is no evidence that Majerczyk leaked any of the purloined pictures online. US prosectors did not charge him with the distribution of the images. Meanwhile in October last year, Ryan Collins, 36, of Pennsylvania, was jailed for 18 months for stealing similar snaps from people's accounts. Neither he nor Majerczyk have been directly accused of spreading the swiped selfies – a devastating leak that became known as The Fappening. Majerczyk's lawyer said his client was wracked with guilt and had had panic attacks since raiding his victims' private files.
Since it's said that he didn't upload the pictures to message boards, was a first-time offender, and pleaded guilty early, he received a relatively light sentence.
Still, the judge wasn't happy. "The conduct is abhorrent," said US district judge Charles Kocoras during this week's sentencing hearing in Illinois. "It's a very, very trying time that we live in." ® Sponsored: Continuous lifecycle London 2017 event.

DevOps, continuous delivery and containerisation. Register now

Wikileaks teases mass doxing wave of verified Twitter accounts

reader comments 60 Share this story Enlarge / The Wikileaks Task Force logo. Wikileaks Task Force A Friday Twitter post from Wikileaks' official "task force" declared intent to build a publicly searchable database revolving around a particular group of people: verified Twitter accounts. "We are thinking of making an online database with all 'verified' Twitter accounts & their family/job/financial/housing relationships," the Friday tweet reads. A follow-up post sought suggestions from the public and said the group was "looking for clear discrete (father/shareholding/party membership) variables that can be put into our AI software." The task force neither clarified where this information would come from, nor did it clarify its reasons for mulling such a project. On that same day, the task force's feed repeatedly replied to and quoted posts from verified members of the media. These posts accuse specific journalists and broader media outlets of lying and committing libel, particularly in their reports on alleged hacking perpetrated against the US government. The task force's posts include repeated use of the phrase, "cease and desist or face the consequences." The account also posted a call to its "troops" and asked them to "find falsehoods pushed by journos/politicians" and "correct them." The task force included a search link for any posts by verified accounts with the words "Wikileaks" or "Assange." The Wikileaks Task Force's specific call to publish and connect metadata dots about verified Twitter accounts could specifically target journalists, who are among the largest population of verified Twitter account holders. Journalists, celebrities, and other heavily followed Twitter users are invited to submit personal information to Twitter to receive a blue check mark on their account. This move was originally intended to increase confidence that an account was actually being used by its stated user, as opposed to a phony account. In more recent years, Twitter has removed that blue check mark from accounts that have violated the site's terms of service. As described in the task force's tweets, such a database could round up a huge swath of metadata that connects all kinds of dots between otherwise unrelated people—for example, a journalist's family or loved ones. (Edward Snowden's whistleblowing in 2013 alleged that the NSA built a system with similar metadata collection and analysis.) Such a database, distributed specifically to users known as "troops," would likely be used for doxing—as in, the combined gathering and publishing of personal information with intent to exploit that information for the sake of harassment or abuse. As of press time, neither the task force account nor Wikileaks' social media accounts had yet confirmed if or how such a database would be published. We have reached out to Twitter and the Wikileaks Task Force with questions about this proposed database, and we will update this report with any response. Listing image by Wikileaks Task Force

Uber-creepy: Dial-a-ride devs accused of stalking pop diva Beyonce

All the single ladies... your ex-techbro boyfriends may have snooped on you, too A former Uber staffer claims the amateur taxi app maker routinely pried into customer records to spy on people, including celebrity riders and ex-partners of employees. The allegations against the ride-sharing giant were made by Ward Spangenberg, a former forensic investigator at Uber who is now suing the Silicon Valley biz for age discrimination. Spangenberg says in a court statement made as part of the case that Uber's administrative access to customer data (once dubbed "God mode") was routinely abused by employees to track their exes and follow the activity of celebrities – most notably, pop siren Beyonce. "Uber's lack of security regarding its customer data was resulting in Uber employees being able to track high-profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends and ex-spouses," the former employee and whistleblower claimed. "I also reported that Uber's lack of security, and allowing all employees to access this information (as opposed to a small security team) was resulting in a violation of governmental regulations regarding data protection." The comments Spangenberg made in court were backed up by several other employees in comments given to the Center for Investigative Journalism claiming that "thousands" of Uber employees are able to view detailed rider information and activity logs on the service. The allegations surfaced just days after Uber was outed for tracking user activity even after rides end, and Spangenberg says the company's misdeeds go beyond privacy invasion. He also claims that, while a member of Uber's incident response team, he was involved in efforts to thwart government raids of Uber branch offices.
Spangenberg said that when the company got word of a pending police raid, it was standard practice to delete data and destroy equipment. "I would be called when governmental agencies raided Uber's offices due to concerns regarding noncompliance with governmental regulations," he said. "In those instances, Uber would lock down the office and immediately cut all connectivity so that law enforcement could not access Uber's information.
I would then be tasked with purchasing all new equipment for the office within the day." Uber did not respond to the allegations in the statement, citing a policy against commenting on active litigation.

The company did, however, provide The Register with a statement on the allegations made to the Center for Investigative Journalism. "It's absolutely untrue that 'all' or 'nearly all' employees have access to customer data, with or without approval.

And this is based on more than simply the 'honor system': we have built [an] entire system to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs," Uber said. "This could include multiple steps of approval – by managers and the legal team – to ensure there is a legitimate business case for providing access." ® Sponsored: Want to know more about PAM? Visit The Register's hub

Silver screen script hacker and dox douche gets 5 years in...

Hello [celebrity], please reset your password Bahamas man Alonzo Knowles has been sentenced to five years jail for hacking the email accounts of celebrities to steal and sell unreleased television and movie scripts, music, financial documents, and pornographic self footage. Knowles plead guilty to criminal copyright infringement and identity theft in May and was sentenced this week by US District Judge Paul Engelmayer. The 24-year-old hacker stole at least 25 unreleased TV and movie scripts including upcoming Tupac flick All Eyez On Me after tricking celebrities into filling their usernames and passwords into phishing emails. Knowles offered to sell scripts to a radio host who then informed the TV show's producer. Over the course of two weeks in December 2015, Knowles and an undercover law enforcement agent (the UC) communicated about the stolen materials Knowles sought to sell to the UC. Knowles claimed to the UC that he had “exclusive content” that was “really profitable” and worth “hundreds of thousands of dollars.” Knowles stated that he obtained the material directly from the Victims without their knowledge, and claimed to be able to acquire such material from at least some of the approximately 130 Victims whose email addresses and phone numbers he had in his possession. From there he attempted to sell the script to agents from the US Department of Homeland Security posing as buyers in a video conference call. The hacker even saved the agents some jet lag by flying to New York City on 21 December last year to sell the scripts and celebrity dox for US$80,000. Prosecutors said of the lengthy gaol term that Knowles even boasted while in prison about plans to publish a book about some of the celebrity personal information he obtained. The hacker apologised for the "stupid things" he said. Sponsored: Customer Identity and Access Management

Would You Sacrifice Sex for Online Security?

According to a new survey, about 40 percent of Americans would alongside giving up their favorite food.

To what lengths would you go to ensure online privacy?

According to a new survey, about 40 percent of Americans would refrain from sex and give up their favorite food to avoid cybersecurity headaches.

Password management firm Dashlane last week reported that nearly four in 10 people would sacrifice lovemaking for a year if in return they could stop worrying about being hacked, identity theft, or losing access to one or more of their online accounts.

Such drastic measures, however, are not necessary if simple password rules are followed—which, based on a continued stream of successful attacks, we clearly aren't all doing.

"The nature of online security has changed dramatically," Dashlane CEO Emmanuel Schalit said in a statement. "Five to 10 years ago, cybersecurity was about protecting devices with anti-virus software.

Today, data isn't on our devices, but in the cloud—and the best line of defense we have to protect this data are passwords."

"This survey data continues to highlight an unfortunate trend—even with breaches happening to everyone from companies and celebrities to consumers, people are continuing to engage in risky password behavior," Schalit said.

Folks continue to hand out passwords like Halloween candy: Dashlane's study suggests 45 percent of Americans have trusted someone, or been entrusted, with a password for email (23 percent) and streaming services (21 percent).

Netflix passwords, for example, are shared among family and friends; the company even acknowledges it happens.

But if any part of that password aligns with another an individual relies on to keep them safe elsewhere, distribution is a white flag of surrender to hackers looking to access personal information.

People are understandably more protective of passcodes linked to money. Passwords for online stores were shared much less often (14 percent), as is the case for banking logins including investment accounts and student loans (9 percent).
Insurance providers are the least shared (6 percent), which makes sense, because who wants to talk about insurance?

Based on responses from more than 2,000 US adults, the study also concluded that younger Americans (millennials aged 18 to 34 who grew up using the Internet) are more trusting and trusted than older generations (64 percent vs. 37 percent), and that married people are less likely to part with passwords (41 percent vs. 49 percent).

A quarter of those surveyed believe that sharing a social media password is more intimate than sex.

But copulation isn't the only forfeiture folks are willing to make: Four in 10 people would rather pass up their favorite food for a month than go through a password reset process.

For more, see PCMag's review of the Dashlane 4 password manager and the slideshow above.

Lost in Translation, or the Peculiarities of Cybersecurity Tests

In the book The Hitchhiker’s Guide to the Galaxy there’s a character called the Babel fish, which is curiously able to translate into and from any language. Now, in the present-day world, the global cybersecurity industry speaks one language – English; however, sometimes you really do wish there was such a thing as a Babel fish to be able to help customers understand the true meaning of the marketing messages of certain vendors. Here’s a fresh example. Earlier this month the independent testing lab AV-Comparatives simultaneously conducted two tests of cybersecurity products using one and the same methodology.

The only differences between the two tests were (i) in the line-ups of participating products in each; and (ii) in the names of the tests themselves: Comparative Test of Business Security Products and Comparison of ‘Next-Generation’ Security Products. Strange? A little.
So let me tell you what’s afoot here: why these practically identical tests were conducted at the same time. It’s well-known already (to folks interested in IT security) how some cybersecurity vendors try to avoid open, public testing and comparisons with other products – so as not to expose their inadequacy.

But by not taking part in such tests the marketing machinery of these vendors loses a crucial bit ton of leverage: all potential customers – mostly corporate ones – always consult independent tests run by dependable specialist organizations.
So, what were they to do? A solution was found: to join up with other ‘next-gen’ developers to be tested together and separately (no ‘traditional AV’ allowed!), to hide behind a convenient methodology, and coat it all with the BS buzz term ‘next generation’. Days after the testing the ‘next-gen’ participants published their own interpretations of the results based on dubious logical deduction, manipulation of figures, and biased marketing rhetoric.

And you guessed it – those interpretations brought them all to the same conclusion, that ~ “here, finally, it’s been publicly proven how next-gen reigns supreme over traditional products”! Really? Ok, time we turned on the Babel fish… Is it really true that next-gen products are great? And if so great… – great compared to what? Let’s compare the results of the ‘next-gen’ test with the above-mentioned twin-test – i.e., the same test (using the exact same methodology), only with different (non ‘next-gen’) participating products. Important: the true quality of protection should be judged by the figure outside the brackets that corresponds to protection rate, not detection rate, since there’s no point in just detecting attacks but still then letting them take place, i.e., not stopping them. Protection from malware in different scenarios and false positives: Protection against exploits: Well, I can hear how the clanging of medals in the next-generation camp seems to have come to a sudden halt, while their ‘victorious’ self-published reports can now be seen for what they really are: mere attempts to intentionally deceive users ‘in the best traditions of misleading test marketing‘. Judge for yourself: One participant in its press release appears to have forgotten to tell anyone about its bombing on protection from exploits (28%), while also seeming to have switched its results on the protection rate in the WPDT scenario (100% instead of 98%). Another participant also kept quiet about its modest result on protection from exploits (82%), but proudly called its… last-but-one place in the contest in this category as “…outperform[ing] other endpoint security competitors in exploit protection”.
It also preferred not to mention its coming last in the AVC scenario test, but that didn’t stop it claiming that mythical ‘legacy AV’ (whatever that is) simply MUST be replaced by its products. A third participant decided to get straight to the point by laying claim to the crown of the ‘most next-gen of all’, having received, nothing short of a blessing certification from this test lab to replace mythical ‘legacy AV’ with its next-gen products: The Babel fish has a few other questions regarding this test. The methodology used this time for testing protection against malicious programs was simpler than that used in the regular full-fledged Real World Protection Test by which other (non-‘next-gen’) products are normally certified.
In the Real World Protection Test, each month for a year six times more real cyberattack scenarios (WPDT) are used.

And even adding RTTL and AVC scenarios doesn’t make up for this simplification. So why was simplification of the methodology and a division of the participants (into ‘next-gen’ and ‘business’) needed? Was it an indulgence to the next-gen vendors, which were afraid of flopping big-time on regular tests? How well would these developers do in a full-fledged test together with the technological leaders? And the last question: what is ‘next generation’? According to a comprehensive study by the SANS Institute conducted at the request of another self-proclaimed ‘next-gen’ vendor, the category ‘Next-generation AV’ covers all large vendors of cybersecurity solutions. Moreover, many ‘next-gen’ vendors do not qualify for the ‘Next-generation AV’ tag – especially when it comes to the level of effectiveness and protection from zero-day threats: I can’t say that I fully agree with above mentioned definition: absent from it are such important things as multi-level protection, adaptability, and the ability to not only detect but also prevent, react to and predict cyberattacks, which are all much more important for the user. However, even this definition unequivocally states that all products need to be tested as per one and the same methodology. Simplifying the WPDT-test and dividing the reports into ‘next-gen’ and ‘non-next-gen’ misleads customers, creates a basis for marketing maneuvering and manipulation, and even undermines the trust long invested in the independent labs running the tests.  Take-Aways: First, (in spite of everything): I want to express my thanks to AV-Comparatives for finally being able to conduct a public test of several ‘next-gen’ products. Ok, so the methodology used was WPDT-lite, and the test results can’t be used to directly compare participants.
Still, as they say, you can’t have everything straight away – or – the first step is always the most difficult/crucial: the main thing is that ‘next-gen’ has finally been publically tested by an authoritative independent lab, which is just what we’d been wanting for a long time. Second: I hope that other independent test labs will follow AV-Comparatives’ example in testing ‘next-gen’ – preferably as per AMTSO standards – and, crucially, together with all vendors.

And I hope the vendors in turn, won’t throw obstacles in the test labs’ way. Third: When choosing a cybersecurity solution it’s necessary to take into account as many different tests as possible. Reliable products set themselves apart by constantly notching up stable top results in different tests by different independent labs over many years. And finally: Now, in the nick of time for the planning of budgets for next year, I hope ‘next-gen’ developers will allocate more resources to the development of technologies and participation in public tests, rather than on fancy advertising billboards, planned inaccuracies in press-releases, and expensive parties stuffed with celebrities. ‘Next-gen’ security products manipulate public tests Tweet PS – from Babel fish: “The word combination ‘next-generation security’ and its derivations in public communications – be they marketing material, advertising videos, white papers, or the arguments of a sales manager – can be a sign of aggressive telepathic matrixes directed at the promotion of pure BS, and thus necessitate a particularly astringent practical application of critical reason.” From the author: “I understood none of that, but fully agree with the fish – whatever it was it was babbling on about.”

‘Fappening’ hacker gets 18 months in US federal clapper

One of two CelebGate hackers goes down, but uploader remains at large The 36 year-old hacker behind some of a massive public leak of private celebrity photos has been sentenced to 18 months prison. 36 year-old Ryan Collins, of Pennsylvania, was one of two suspects in the September 2014 leaks known online as the Fappening or CelebGate. Celebrities impacted include Jennifer Lawrence, Kate Upton, Rihanna, and Avril Lavigne. He was arrested in March and charged with hacking 50 iCloud and 72 Gmail accounts owned by Hollywood stars. A second man, Edward Majerczyk, 28, of Illinois, was collared in July and charged with hacking 300 iCloud and Gmail accounts of which 30 belonged to Silver Screeners. Together they hacked some 600 victims. Both have pled guilty to the charges involving sophisticated phishing attacks that saw the pair send mails purporting to come from Apple and Google.

Those efforts, which took place between November 2012 and September 2014, harvested account logins for entertainers and other prominent persons. Collins received a lighter penalty than the five years prison initially on the table for the guilty plea. The uploader or 'leaker' of the stolen images has not been found. ®

36-year-old Pennsylvania man gets 18 months for phishing nude celebrity pics

Wikimedia Commons user Tabercilreader comments 10 Share this story A 36-year-old Ryan Collins from Pennsylvania was sentenced to 18 months in prison after pleading guilty to hacking the Apple and Google accounts of more than 100 celebrities, including Jennifer Lawrence, Aubrey Plaza, Rihanna, and Avril Lavigne.

Collins stole personal information, including nude photos, from the celebrities. The photos were famously posted on 4chan and reddit in 2014.

Collins pleaded guilty to hacking the celebrities’ accounts in May, but he did not plead guilty to posting the images on the Internet. “Investigators have not uncovered any evidence linking Collins to the actual leaks or that Collins shared or uploaded the information he obtained,” the Department of Justice (DOJ) noted. According to The Guardian, Collins ran a phishing scheme from November 2012 to September 2014, sending celebrities e-mails that appeared to be from Apple and Google, requesting their user names and passwords. In a press statement, the DOJ wrote that Collins would illegally access respondents’ accounts and search for nude photos and videos. “In some instances, Collins would use a software program to download the entire contents of the victims' Apple iCloud backups,” the DOJ wrote. “In addition, Collins ran a modeling scam in which he tricked his victims into sending him nude photographs.” Collins apparently accessed at least 50 iCloud accounts and 72 Gmail accounts and stole information from more than 600 victims, not all of whom were celebrities. From the beginning, Apple maintained that the hacks weren’t the result of an iCloud vulnerability, but the fruit of a “very targeted attack on user names, passwords and security questions.” In the aftermath of the hack, some celebrities threatened Google with a $100 million lawsuit for failing to "act expeditiously and responsibly to remove the Images."