Google: We're bombarded by gov't requests on user data


The US government is on a data-gathering spree at Google, new data from the search giant reveals.

Between January and June 2013, the US government issued nearly 11,000 requests to Google asking for user information, or about 42 percent of the global total. India was second with nearly 2,700 government requests.

The collective requests from governments around the world during that six-month period have more than doubled in the three-and-a-half years since Google's first government transparency report, which covered the second half of 2009. "And these numbers," Google said in a blog post Thursday, "only include the requests we're allowed to publish."

It's the things that Google can't share about those data requests that really has the company hot and bothered.

"We believe it's your right to know what kinds of requests and how many each government is making of us and other companies," Google Legal Director Richard Salgado wrote in the blog post. "However, the US Department of Justice contends that US law does not allow us to share information about some national security requests that we might receive. Specifically, the U.S. government argues that we cannot share information about the requests we receive (if any) under the Foreign Intelligence Surveillance Act. But you deserve to know."

To underscore that point, Google posted a quartet of graphs illustrating the volume and nature of the government requests. In the fourth of the four graphs, to reflect the constraints on its ability to provide transparency on national security-related FISA requests, Google drew thick black lines over a barely visible bar chart, in the manner of a heavily redacted document.

FISA has become a hot-button topic this year after former NSA contractor Edward Snowden released secrets on the US government's alleged spying activities. The US government has used FISA to block technology companies like Google from sharing what kind of requests they've received. Some of those companies brought a federal case earlier this year in an attempt to share that information. So far, those efforts have failed.

Apple last week released its latest report on government data requests, with a similar call for the US government to open up. These sorts of transparency reports have become a regular thing for tech titans, with the list also including Twitter, Yahoo, Google, and Facebook.

Google also urged Washington to take action to shore up privacy protections for US citizens:

    We strongly believe that the Electronic Communications Privacy Act (ECPA) must be updated in this Congress, and we urge Congress to expeditiously enact a bright-line, warrant-for-content rule. Governmental entities should be required to obtain a warrant--issued based on a showing of probable cause--before requiring companies like Google to disclose the content of users' electronic communications.

The American Civil Liberties Union (ACLU) has been one of the more outspoken critics of the US government's secrecy. In a statement on Thursday, the organization's legislative counsel, Christopher Calabrese, expressed much the same outrage :

Law enforcement requests to Google have tripled in four years but we're still stuck with the same Internet privacy law we had in 1986. If police need a warrant to open someone's mail than they should need one to rifle through someone's e-mail, regardless of its age or if it's stored on a company's server. It's time Congress and the president updated (the) Electronic Communications Privacy Act (ECPA) so there's only one standard for government access to the content of our electronic communications: a warrant based upon probable cause. Anything less is indefensible.

It bears noting that many government requests for user data are of a rather routine law enforcement nature. Of the 10,918 requests made by the US in the first half of 2013, for instance, 68 percent were subpoenas, and 22 percent were warrants, according to Google.

In the second half of 2009, the period covered by Google's first transparency report, the US government made 3,580 data requests, for about 28 percent of the global total of 12,539 requests.

New Internet Bug Bounty holds companies accountable, protects hackers


Hackers looking to make quick cash just got a new way to grease their bank accounts with the launch of HackerOne's Internet Bug Bounty.

Security high-hats from primary sponsors Microsoft and Facebook, along with volunteers from Etsy, Chrome and ISEC Partners calling themselves HackerOne today announced a bounty program trading cash for bugs in Open SSL, Python, Ruby, PHP, Rails, Perl and "the Internet," among others.
According to HackerOne's Disclosure, the companies behind the program are not allowed special access or rights to the submitted bugs.

Hackers can submit as anonymously as they prefer. Response Teams from affected companies and products are cautioned against taking punitive action against the hackers.

And if you're on a response team for a product that might be affected by a bug on the bounty list, you'd be wise to register with HackerOne if you want to be notified about exploits and vulnerabilities immediately.

Legit bugs affecting products will be reported to Response Teams right away through the HackerOne platform, otherwise the Internet Bug Bounty panel promises to do everything possible to reach and inform affected companies with the disclosure.

And if a company doesn't pick up the phone when HackerOne calls?

Companies have seven days to respond, then:

If we aren't able to contact the Response Team, the Bug Report will be made public 30 days after our initial contact attempt.

Regardless, all bug data is eventually shared with the public.

The Internet Bug Bounty says its aim is "Rewarding friendly hackers who contribute to a more secure internet."

Before you go off thinking the program is just for white knights, the organizers have made it clear they're also looking for bug hunters who want to remain off the books: submitters can remain anonymous, even to the point of deferring payment to a charity of their choice.

To register, hackers only need provide a name, username, password, and email address; HackerOne states it deletes all access logs after 180 days.

But if you're looking for credit, HackerOne says you'll definitely get it.

HackerOne told ZDNet that hackers choosing to give their reward to charity can pick any charity they like, plus HackerOne might even throw in a little extra scratch to give the hacker's favorite charity a bit more to celebrate.

Its Disclosure Policy has some ethical guidelines for hackers to follow if they're going to play ball with HackerOne, but HackerOne has sided its policy to be clear about its stance to protect hackers who bring in bugs.

The guidelines for Response Teams that HackerOne will work with states that teams from affected products and companies have to credit the hacker for discovery, and can't threaten hackers, punish them for finding vulns, and can't turn them over to the cops.

HackerOne's Disclosure Guidelines state, "Response Teams should..."

Do no harm. Not take unreasonable punitive actions against researchers, like making legal threats or referring matters to law enforcement.

Perhaps that's because some of the people on HackerOne's interesting team have seen some action.

We’re a group of hackers and researchers who have been frustrated by the failings of vulnerability disclosure status quo.

Members of our team have managed bounty programs at Facebook, Google and Microsoft, participated in bug bounty programs, and disclosed vulnerabilities under dubious conditions.

Young hackers can join the hunt, too. There is no minimum age for submissions and payout, though in keeping with the Children's Online Privacy Protection Act hackers under 13 will need to have a parent or guardian claim the bounty.

Sandbox escapes and "the Internet" start at $5K, with Open SSL at $2500, followed by Python, Ruby, PHP, Rails and Perl coming in at $1500 per bug. Apache httpd and Nginx fetch $500 a pop, Phabricator is $300, while Django is listed at this time with no minimum bounty.

Hackers can also submit bugs via private YouTube videos, but HackerOne requires all video submissions to have bad techno playing in the background.



NSA Monitors Google, Yahoo, Microsoft's Data Centers


The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.

According to a top-secret accounting dated Jan. 9, 2013, the NSA’s acquisitions directorate sends millions of records every day from internal Yahoo and Google networks to data warehouses at the agency’s headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — including “metadata,” which would indicate who sent or received e-mails and when, as well as content such as text, audio and video.

The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, the Government Communications Headquarters . From undisclosed interception points, the NSA and the GCHQ are copying entire data flows across fiber-optic cables that carry information among the data centers of the Silicon Valley giants.

The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.

The MUSCULAR project appears to be an unusually aggressive use of NSA tradecraft against flagship American companies. The agency is built for high-tech spying, with a wide range of digital tools, but it has not been known to use them routinely against U.S. companies.

In a statement, the NSA said it is “focused on discovering and developing intelligence about valid foreign intelligence targets only.”

“NSA applies Attorney General-approved processes to protect the privacy of U.S. persons — minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention, and dissemination,” it said.

In a statement, Google’s chief legal officer, David Drummond, said the company has “long been concerned about the possibility of this kind of snooping” and has not provided the government with access to its systems.

“We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” he said.

A Yahoo spokeswoman said, “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.”

Under PRISM, the NSA gathers huge volumes of online communications records by legally compelling U.S. technology companies, including Yahoo and Google, to turn over any data that match court-approved search terms. That program, which was first disclosed by The Washington Post and the Guardian newspaper in Britain, is authorized under Section 702 of the FISA Amendments Act and overseen by the Foreign ­Intelligence Surveillance Court (FISC).

Mac OS X Mavericks REVIEW

Everyone running a MAC has probably seen the FREE UPGRADE by now.  Take a look at the review posted on THE VERGE.

Experian Sold Consumer Credit Information to ID Theft Service

The information below was gathered and researched by KREBS ON SECURITY.


An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.
In November 2011, this publication ran a story about an underground service called, a fraudster-friendly site that marketed the ability to look up full Social Security numbers, birthdays, drivers license records and financial information on millions of Americans. Registration was free, and accounts were funded via WebMoney and other virtual currencies that are popular in the cybercriminal underground.

Each SSN search on returned consumer records that were marked with a set of varying and mysterious two- and three-letter “sourceid:” identifiers, including “TH,” “MV,” and “NCO,” among others. I asked readers who may have a clue about the meaning or source of those abbreviations to contact me. In the weeks following that post, I heard from many readers who had guesses and ideas, but none who seemed to have conclusive information.

That changed in the past week. An individual who read a story about the operators of a similar ID theft service online having broken into the networks of LexisNexis and other major data brokers wrote to say that he’d gone back and reviewed my previous stories on this topic, and that he’d identified the source of the data being resold by The reader said the abbreviations matched data sets produced by Columbus, Ohio-based

Contacted about the reader’s claim, U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement. Martin said that several years ago US Info Search and CourtVentures each agreed to grant the other company complete access to its stores of information on US consumers.

Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Cached, historic copies of are available through


Apple is misleading people on iMessage security

A security researcher has suggested that Apple's claim that its iMessage app is spook-proof and secure is "just basically lies".

Cyril Cattiaux, who works at the research firm QuarksLab, made his claims during a speech to the Hack in the Box conference, which were quoted by PC World – the tech news site, rather than the British retailer.

In a detailed blog post, Cattiaux said that the public key cryptography used by Apple in its iMessages made them vulnerable to snooping.

He said: "The weakness is in the key infrastructure, as it is controlled by Apple. They can change a key any time they want, thus read the content of our iMessages."

However, there is no suggestion that Apple wilfully misled its customers and it has not been accused of actually reading fanbois' iMessages.

In June, Apple released the following statement which discussed the security of iMessage:

Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data.

Apple's iMessage is a text-messaging service which allows users to send free messages over Wi-Fi.

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed


US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles