Tag Archives: Parler

Security News for the Week Ending February 19, 2021

Parler is Back Online

After being down for a month after getting kicked off Amazon, Parler is back online. Existing accounts can log in now; new accounts can be created next week. They have a new interim CEO after the board fired the last one. It does not appear that old content was moved over to the new platform. Apple and Google have not restored Parler’s apps and there are lawsuits and Congressional investigations, so they are not completely out of the woods yet. It remains to be seen what their content moderation strategy will be. In their notice it says that they don’t moderate and then proceed to talk about all the content moderation they are doing – likely to try and stay out of jail. Credit: MSN

Even Though FBI Complains About Going Dark, they Unlock Phones

While the FBI will never be happy until we return to the 1990s when there was no encryption, apparently, according to court documents, the FBI can get into iPhones after first unlock after power up (which is 99.99% of the time) and even read Signal messages. Likely using tools like GrayKey and Cellebrite they can extract data from many encrypted phones. Credit: Hackread

Certification Labs UL Hit By Ransomware

Underwriters Labs, the safety certification organization – which also has a cybersecurity certification – has apparently been hit by a ransomware attack which caused them to shut down their IT systems. Attempts to connect to the MyUL.Com portal return a ‘can’t reach this page’ error message. They have been down for a week so far and have decided not to pay the ransom. This points to how long it takes to recover from ransomware, even for a big company. Credit: Bleeping Computer

Microsoft Says SolarWinds Hackers Stole Some Source Code

Microsoft is now admitting that the SolarWinds hackers were able to download some of their source code including parts of code for Intune, Exchange and Azure. While not complete code for anything, any code that makes it onto the dark web will make it easier for hackers to figure out how to hack Microsoft users in the future. Credit: ZDNet

John Deere Promised Right to Repair But Didn’t Quite Do That

In 2018 John Deere lobbyists successfully killed a number of state legislative bills that would have allowed farmers to repair their own tractors and heavy equipment. In exchange, Deere pinky-promised to make the software and manuals available in three years. That would be January 1 of this year. Apparently, Deere, while successful at killing the bills, has not lived up to their end of the bargain and some of the state legislators are not terribly happy. Expect at least some states to introduce new “right to repair” bills this year. What is unknown is how broad these bills will be. Will they just allow a farmer to repair his/her tractor or will it also allow iPhone users to also repair their phones? Credit: Vice

Security News for the Week Ending January 22, 2021

Parler Finds A New Home With Russian Hosting Provider in Belize

“Hello world, is this thing on? With that message Parler’s website is back online. Well at least a one page website is back online. The site is being hosted by Russian-owned DDoS-Guard, a company that apparently also hosts ISIS web sites. Whether the folks who invaded the Capitol earlier this month are going to be willing to post their content on a Russian hosted server is not clear. It is unlikely that their hosting provider would respond to a US subpoena, but whether they would steal the posts for their own purpose is a different question. Credit: Cybernews

Capitol Terrorist Who (Allegedly) Planned to Sell Pelosi’s Laptop to Russian Intelligence Arrested

The amazing amount of video footage from the storming of the Capitol is really making the cops’ lives a lot easier. Riley June Williams, 22, from Pennsylvania, was outed by her former boyfriend. She videoed herself committing the felony and then shared that video. She has now been arrested. She has not been charged with espionage, yet. After the events of January 6th, she changed her phone number, deleted her social media accounts and fled. Her public defender wants her released but the feds say that she is a flight risk. Given she disappeared even before she was charged, that doesn’t seem unreasonable. Credit: WaPo

Parler Data Is Available for Download

If you want to be an amateur detective and you have 70 terabytes or so of free disk space on your computer, you too, can download the data that was scraped from the site during its last few hours of its existence. It is chunked down to 4GB chunks and more of it is being uploaded in real time. This will be examined and reexamined for a long time. Details can be found here.

Malware Bytes Joins Club of Those Hacked by SolarWinds Hacking Team

Malware Bytes joins the long and getting longer list of those folks sucked in by the Solar Winds attackers. In their case, they did not use Solar Winds but were compromised by other techniques used by the Solar Winds attackers. They said the damage was minor and limited to some of their emails. Credit: Cyber News

Trump Pardons Google Engineer Who Stole Self Driving Car Trade Secrets and Took Them to Uber

Anthony Levandowski, the Google Engineer who went to work for Uber’s self driving car division, was pardoned by Trump after being sentenced to 18 months for his theft. I am not sure if the pardon relieves him of the obligation to pay Google the $179 million fine, but it probably does. He took 141,000 files with him and likely advanced Uber’s progress by years. Google settled it’s lawsuit against Waymo in 2018 and paid a multi-hundred-million dollar fine. Curiously, Google is an investor in Uber, so they probably don’t want to hurt them too much. Credit: Cyber News

Breaches Down; Record Count Up

According to Risk Based Security, the NUMBER of breaches reported fell 48% in 2020 compared to 2019, but the number of records exposed was UP by 141% to an amazing 37 BILLION records. We don’t believe that the number of breaches was actually down; likely it is just that a lot of breaches are not being reported. Part of it may be that with other important events like the election and Covid, the media is not covering breaches. In addition, we are seeing some really large breaches. Hacking group Shiny Hunters disclosed 129 million hacked records in just five weeks. Credit: Tech Republic

Its Been A Bad Week for Parler and it is Only Monday

First Apple and Google removed the Parler app from both of their app stores.

Then Amazon kicked them off Amazon’s AWS platform for violating their terms of service.

That would seem like a problem for most companies, but that was the good part of their week.

Yesterday a security researcher who goes by the nickname “crash override” said that she was “crawling URLs for all videos uploaded to Parler”. About a million of them. Including ones that may have been deleted or marked private.

In total, about 70 terabytes of users’ posts was compromised.

And indexed and made public by the researcher.

This includes videos made and uploaded during the riot.

Which can be tied to the Parler user’s ID, IP address, etc.

Which if they were inside the Capitol during the riot …

But that is not all.

Parler’s CEO said that many of it’s vendors have decided that Parler’s money is not worth the reputational damage of being associated with them. Actually, he didn’t say that. He said “every vendor from text message services to email providers to our lawyers all ditched us too”. You draw your own conclusion. Credit: The Independent

Apparently Parler encouraged people to upload their drivers license to get a verified person badge. Not great if the videos show you participating in a felony.

The researcher said that her plan is to archive every single post from the day of the riot. I am sure that the thousands of FBI personnel working on the case will appreciate her thoughtfulness. Credit: Gizmodo

The response of one Parler user was “It would be a pity if someone with explosives training were to pay a visit to some AWS Data Centers – the location of which are public knowledge.”

This is the “party of law and order”.

As of the writing of this post, if you try to go to Parler’s web site you get a site not found message.

Parler has filed a lawsuit against Amazon and is trying to get a TRO.

Reports say that the researcher was able to exploit a bug in Parler’s API. This is not a big surprise as APIs are notoriously difficult to make secure.

From what I understand, Parler has some deep pocketed investors, but will they be willing to pony up more money after this? And will users come back after their privacy was destroyed? All of this remains to be seen.

Suffice it to say, this story will be in the news for a while and if I were someone who posted anything on Parler, I would be nervous the next time there is a knock on your door.