A seemingly complex set of characters like "ji32k7au4a83" is a very common password among users, it turns out. From a report: This interesting bit of trivia comes from self-described hardware/software engineer Robert Ou, who recently asked his Twitter followers if they could explain why this seemingly random string of numbers has been seen by Have I Been Pwned (HIBP) over a hundred times.

Have I Been Pwned is an aggregator that was started by security expert Troy Hunt to help people find out if their email or personal data has shown up in any prominent data breaches. One service it offers is a password search that allows you to check if your password has shown up in any data breaches that are on the radar of the security community. In this case, "ji32k7au4a83" has been seen by HIBP in 141 breaches. Several of Ou's followers quickly figured out the solution to his riddle. The password is coming from the Zhuyin Fuhao system for transliterating Mandarin. The reason it's showing up fairly often in a data breach repository is because "ji32k7au4a83" translates to English as "my password."

A full 81% of consumers say that in the past year they've become more concerned with how companies are using their data, and 87% say they've come to believe companies that manage personal data should be more regulated, according to a survey out Monday by IBM's Institute for Business Value. From a report: They aren't totally convinced they should care about how their data is being used, and many aren't taking meaningful action after privacy breaches, according to the survey. Despite increasing data risks, 71% say it's worth sacrificing privacy given the benefits of technology. [...] Despite increasing awareness of privacy and security breaches, most consumers aren't taking consequential action to protect their personal data. Fewer than half (45%) report that they've updated privacy settings, and only 16% stopped doing business with an entity due to data misuse.

An anonymous reader quotes a report from The Sydney Morning Herald: National security agencies are continuing to scour the Parliament's computer network for threats to MPs' data after what is being described as a "sophisticated" hack attack that could be the work of a foreign government. Alastair MacGibbon, head of the Australian Cyber Security Centre, said the government's cyber experts would work over coming days and weeks to make sure all the breaches had been detected and the hackers' presence removed. The hacking comes just three months ahead of the federal election, prompting fears that if MPs emails or data were stolen they could be used to cause political interference of the style Russia perpetrated against the United States in the 2016 presidential campaign. Sources said the fact that Parliament had significantly upgraded its cyber defense since an attack by Chinese intelligence agencies in 2011 suggested the latest hackers were highly skilled, potentially pointing to a foreign government. Mr MacGibbon stressed it was too early to say who was behind the attack but said this part of the investigation. The network is used by all MPs, including ministers. House Speaker Tony Smith and Senate President Scott Ryan said in a joint statement there was "no evidence that any data has been accessed or taken at this time, however this will remain subject to ongoing investigation." They said they had no evidence the hack was an effort to "influence the outcome of parliamentary processes or to disrupt or influence electoral or political processes."

An anonymous reader shares a report: Given the frequency of hacks and data leaks these days, chances are good at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against. When the extension detects an insecure password, it'll prompt you with a big red dialog box to immediately update your info. It's handy, but users might wonder exactly what Google can see -- to that end, Google says that the extension "never reveal[s] this personal information."

pgmrdlm shares a report from CBS News: An Illinois couple said a hacker spoke to their baby through one of their Nest security cameras and then later hurled obscenities at them, CBS station WBBM-TV reports. Arjun Sud told the station he was outside his 7-month-old son's room Sunday outside Chicago and he heard someone talking. "I was shocked to hear a deep, manly voice talking," Sud said. "My blood ran cold." Sud told WBBM-TV he thought the voice was coming over the baby monitor by accident. But it returned when he and his wife were downstairs. The voice was coming from another of the many Nest cameras throughout the couple's Lake Barrington house. "Asking me, you know, why I'm looking at him -- because he saw obviously that I was looking back -- and continuing to taunt me," Sud said. Later that night, Arjun Sud noticed the Nest thermostat they have upstairs had been raised to 90 degrees. He suspected the hacker was behind that too. Nest's parent company, Google, said in a statement that Nest's system was not breached. Google said the recent incidents stem from customers "using compromised passwords exposed through breaches on other websites."

A lawyer in Houston has filed a lawsuit against Apple over a security vulnerability that let people eavesdrop on iPhones using FaceTime. "His lawsuit, filed Monday in Harris County, Texas, alleges that Apple 'failed to exercise reasonable care' and that Apple 'knew, or should have known, that its Product would cause unsolicited privacy breaches and eavesdropping,'" reports CNBC. "It alleged Apple did not adequately test its software and that Apple was 'aware there was a high probability at least some consumers would suffer harm.'" From the report: The suit says that Williams was "undergoing a private deposition with a client when this defective product breached allowed for the recording" of the conversation. Williams claimed this caused "sustained permanent and continuous injuries, pain and suffering and emotional trauma that will continue into the future" and that Williams "lost ability to earn a living and will continued to be so in the future." The lawsuit also says that iOS 12.1, the latest major release of the iPhone operating system, was defective and "unreasonable dangerous" and that Apple "failed to provide adequate warnings to avoid the substantial danger" posed by the security flaw. Williams is seeking compensatory and punitive damages as a result of the exploit.

A U.S. judge rejected Yahoo's proposed settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history, faulting the Internet services provider for a lack of transparency. From a report: In a Monday night decision, U.S. District Judge Lucy Koh in San Jose, California, said she could not declare the settlement "fundamentally fair, adequate and reasonable" because it did not say how much victims could expect to recover. Yahoo, now part of New York-based Verizon Communications, was accused of being too slow to disclose three breaches from 2013 to 2016 that affected an estimated 3 billion accounts. The settlement called for a $50 million payout, plus two years of free credit monitoring for about 200 million people in the United States and Israel with nearly 1 billion accounts.

An anonymous reader quotes the Verge: Advocacy groups are calling for Facebook to be broken up as a result of its Cambridge Analytica scandal, subsequent privacy violations, and repeated consumer data breaches. Groups like Open Market Institute, Color of Change, and the Electronic Privacy Information Center wrote to the Federal Trade Commission Thursday requesting a major government intervention into how Facebook operates. The letter outlined several moves the FTC could take, including a multibillion-dollar fine, reforming the company's hiring practices, and most importantly, breaking up one of the most powerful social media companies for abusing its market position...

According to organizations like Open Market Institute and Color of Change, Facebook should be required to give up $2 billion and divest ownership of Instagram and WhatsApp for failing to protect user data on those platforms as well. "Given that Facebook's violations are so numerous in scale, severe in nature, impactful for such a large portion of the American public and central to the company's business model, and given the company's massive size and influence over American consumers," the letter reads, "penalties and remedies that go far beyond the Commission's recent actions are called for."

Security reporter Brian Krebs writes: My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it "the largest collection ever of breached data found." But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources." KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.

An anonymous reader quotes a report from ZDNet: Researchers have disclosed the existence of a server exposed to the public which not only contained terabytes of confidential government data but information relating to FBI investigations. According to UpGuard cybersecurity researchers Greg Pollock and Chris Vickery, the open storage server belonged to the Oklahoma Department of Securities (ODS), a U.S. government department which deals with securities cases and complaints. The database was found through the Shodan search engine which registered the system as publicly accessible on November 30, 2018.

The UpGuard team stumbled across the database on December 7th and notified the department a day later after verifying what they were working with. To ODS' credit, the department removed public access to the server on the same day. In order to examine the security breach, the team was able to download the server's contents. The oldest records dated back to 1986 and the most recent was timestamped in 2016. In total, three terabytes of information representing millions of files. Contents ranged from personal data to system credentials and internal communication records. ODS said in a statement to ZDNet: "All state IP addresses, and many city and county addresses, are registered to OMES, but the agency has no visibility into the computer systems at the Oklahoma Department of Securities. For the past eight years the state has been working to consolidate all IT infrastructure under OMES and ODS had the option to consolidate its systems voluntarily and they did not."

With markets uncertain, many onlookers might think a recession is on the way, whether that's most CFOs in the world or voters in the United States. But domestic CEOs don't find heavy economic headwinds their biggest external business worry, according to a new survey by the Conference Board. Instead, it's cybersecurity followed by new competitors. Risk of a recession is third. From a report: After high-profile data breaches experienced over the last two years by such companies as Marriott, Equifax, and Uber, that might seem understandable. But U.S. CEOs stand in stark contrast to those of the rest of the world. Cybersecurity was the sixth most pressing issue for chief executives in Europe. It was seventh in Latin America, eighth in Japan, and 10th in China. Regarding concerns over a potential recession, Europe put that in second place, while Japan, China, and Latin America all rated it number one.

Marriott has downsized its original estimate on a major data breach, but the number of people affected is still historic. The hotel group announced Friday that it now believes hackers accessed the records of up to 383 million guests, following an investigation it conducted with a forensics and analytics team. In November, it had reported an estimate of as many as 500 million guests. From a report: Even at that lower figure, the Marriott incident remains one of the largest personal data breaches in history, more than double that of Equifax, which exposed the personal data of 147.7 million American. Data breaches have become a common issue for massive companies that collect and store information on millions of people. In 2018, tech giants like Facebook and Reddit have fallen victim to data breaches. Hackers look for poor protection that they can bypass to steal valuable details like Social Security numbers, birth dates, email addresses and credit card numbers.

schwit1 shares a National Review report: After three years, there is no proof that Apple's, Google's, and Microsoft's infiltration of the classroom is producing actual academic improvement and results. Take Facebook's efforts for an example. The company -- under fire for privacy breaches worldwide -- is peddling something called "Summit Learning," a web-based curriculum bankrolled by CEO Mark Zuckerberg and his wife, Priscilla Chan. Last month, students in New York City schools walked out in protest of the program. "It's annoying to just sit there staring at one screen for so long," freshman Mitchel Storman, 14, told the New York Post. He spends close to five hours a day on Summit classes in algebra, biology, English, world history, and physics. Teacher interaction is minimal. "You have to teach yourself," Storman rightly complained. No outside research supports any claim that Summit Learning actually enhances, um, learning. What more studies are showing, however, is that endless hours of screen time are turning kids into zombies who are more easily distracted, less happy, less socially adept, and less physically fit. Standing up to the Silicon Valley Santas and asserting your family's "right to no" may well be the best long-term gift you can give your school-age children.

An anonymous reader quotes a report from Reuters: Hackers working on behalf of China's Ministry of State Security breached the networks of Hewlett Packard Enterprise and IBM, then used the access to hack into their clients' computers, according to five sources familiar with the attacks. The attacks were part of a Chinese campaign known as Cloudhopper, which the United States and Britain on Thursday said infected technology service providers in order to steal secrets from their clients. While cybersecurity firms and government agencies have issued multiple warnings about the Cloudhopper threat since 2017, they have not disclosed the identity of technology companies whose networks were compromised. IBM said it had no evidence that sensitive corporate data had been compromised. HPE said it could not comment on the Cloudhopper campaign.

Cloudhopper targeted managed service providers (MSPs) to access client networks and steal corporate secrets from companies around the globe, according to a U.S. federal indictment of two Chinese nationals unsealed on Thursday. Prosecutors did not identify any of the MSPs that were breached. Cloudhopper, which has been targeting technology services providers for several years, infiltrated the networks of HPE and IBM multiple times in breaches that lasted for weeks and months. Reuters was unable to confirm the names of other breached technology firms or identify any affected clients. Both IBM and HPE provided statements but declined to comment on the specific claims made by the sources. "The security of HPE customer data is our top priority," HPE said. "We are unable to comment on the specific details described in the indictment, but HPE's managed services provider business moved to DXC Technology in connection with HPE's divestiture of its Enterprise Services business in 2017."

"IBM has taken extensive counter measures worldwide as part of its continuous efforts to protect itself and its clients against constantly evolving threats," the company said in an emailed statement. "We take responsible stewardship of client data very seriously and have no evidence that sensitive IBM or client data has been compromised."

A previously unknown hacker group is behind a mounting number of breaches that have been reported by local governments across the US. From a report: In a report published today, US cyber-security vendor FireEye has revealed that this yet-to-be-identified hacker group has been breaking into Click2Gov servers and planting malware that stole payment card details. Click2Gov is a popular self-hosted payments solution, a product of US software supplier Superion. It is sold primarily to US local governments, and you can find a Click2Gov server installed anywhere from small towns to large metropolitan areas, where it's used to handle payments for utility bills, permits, fines, and more.

FireEye says this new hacker group has been attacking Click2Gov portals for almost a year. The company's investigators believe hackers are using one or more vulnerabilities in one of Click2Gov's components --the Oracle WebLogic Java EE application server-- to gain a foothold and install a web shell named SJavaWebManage on hacked portals. Forensic evidence suggests the hackers are using this web shell to turn on Click2Gov's debug mode, which, in turn, starts logging payment transactions, card details included.

Chinese hackers are breaching Navy contractors to steal everything from ship-maintenance data to missile plans, triggering a top-to-bottom review of cyber vulnerabilities, WSJ reported Friday, citing officials and experts. From the report: A series of incidents in the past 18 months has pointed out the service's weaknesses, highlighting what some officials have described as some of the most debilitating cyber campaigns linked to Beijing. Cyberattacks affect all branches of the armed forces but contractors for the Navy and the Air Force are viewed as choice targets for hackers seeking advanced military technology, officials said. Navy contractors have suffered especially troubling breaches over the past year, one U.S. official said. The data allegedly stolen from Navy contractors and subcontractors often is highly sensitive, classified information about advanced military technology, according to U.S. officials and security researchers. The victims have included large contractors as well as small ones, some of which are seen as lacking the resources to invest in securing their networks. One major breach of a Navy contractor, reported in June, involved the theft of secret plans to build a supersonic anti-ship missile planned for use by American submarines, according to officials.

An anonymous reader quotes a report from The Hill: The Equifax data breach, one of the largest in U.S. history, was "entirely preventable," according to a new House committee investigation. The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information. "In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data," according to the 96-page report authored by Republicans. "Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."

The report blames the breach on a series of failures on the part of the company, including a culture of complacency, the lack of a clear IT management operations structure, outdated technology systems and a lack of preparedness to support affected consumers. "A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the committee staff wrote. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company's failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data." The Oversight staff found that the company not only lacked a clear management structure within its IT operations, which hindered it from addressing security matters in a timely manner, but it also was unprepared to identify and notify consumers affected by the breach. The report said the company could have detected the activity but did not have "file integrity monitoring enabled" on this system, known as ACIS, at the time of the attack.

According to a study from Gemini Advisory, some 60 million U.S. cards were compromised in the past 12 months. "Of those, 93 percent were EMV chip-enabled," reports Threatpost. "Also, crucially, 75 percent, or 45.8 million, were records stolen from in-person transactions." From the report: These were likely compromised through card-skimming malware and point-of-sale (POS) breaches at establishments like retailers, hotels and restaurants, the likes of which continue to make headlines. Further results show that the U.S. leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records. In the past 12 months, about 15.9 million compromised non-U.S. payment cards were posted for sale on the underground, split between 11.3 million card-not-present (online transaction) records and 4.6 million card-present records, of which 4.3 million were EMV enabled. This means that the theft level of EMV-enabled card data in the U.S. is 868 percent higher than the rest of the world combined.

The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant compliance -- too many of them still use the mag-stripe function at PoS terminals. Gemini also said that card-present data "is also collected via a more manual method by skimmer groups, who are utilizing custom made hardware known as 'shimmers' to record and exfiltrate data from ATMs and POS systems. The firm also found that while most large U.S. merchants have fully transitioned to EMV, gas pump terminals and small/medium size businesses are emerging as the main targets for cybercriminals going forward.

Security researchers at UpGuard discovered that a Washington-based ISP called Pocket iNet left 73 gigabytes of essential operational data publicly exposed in a misconfigured Amazon S3 storage bucket for months. "Said bucket, named 'pinapp2,' contained the 'keys to the kingdom,' according to the security firm, including internal network diagramming, network hardware configuration photos, details and inventory lists -- as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees," reports Motherboard. From the report: Upguard says the firm contacted Pocket iNet on October 11 of this year, the same day the exposed bucket was discovered, but the ISP took an additional week before the data was adequately secured. "Seven days passed before Pocket iNet finally secured the exposure," noted the firm. "Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset."

According to UpGuard, the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points. "Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business," noted UpGuard. "If such documents must exist, they should be strongly encrypted and stored in a known secure location," said the firm. "Unfortunately, a single folder of PocketiNet's network operation historical data (non-customer) was publicly accessible to Amazon administrative users," the ISP said in a statement to Motherboard. "It has since been secured."

Major Facebook investors, including public pension funds and state officials, are pushing for Mark Zuckerberg's ouster as chairman of the company's board. From a report: The proposal is largely symbolic, since Zuckerberg holds absolute control of the board. But it comes at a difficult time for Facebook, as security breaches plague the company and spur questions around corporate oversight. "We need Facebook's insular boardroom to make a serious commitment to addressing real risks -- reputational, regulatory, and the risk to our democracy -- that impact the company, its share owners, and ultimately the hard-earned pensions of thousands of New York City workers," New York City Comptroller Scott Stringer said in a statement to CNBC. Stringer joined a previous motion by Trillium Asset Management in calling for Zuckerberg to step down.