China Watch Blog has learnt that approximately 4.93 million Gmail usernames and passwords were published to a Russian Bitcoin forum on Tuesday, as first reported by Russian website CNews. That’s the bad news.
The good news is that this leak doesn’t seem as massive upon further inspection. First off, we got in touch with Google regarding the issue. The company does not believe this is the result of any sort of security breach on its end.
“The security of our users’ information is a top priority for us,” a Google spokesperson told TNW. “We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts.”
Next, since the posting, the forum administrators have purged the passwords from the text file in question, leaving only the logins. Furthermore, tvskit, the forum user who published the file, claimed that some 60 percent of the passwords were valid.
A quick analysis of the text file shows it includes mainly English, Spanish, and Russian accounts, but also that it seems to combine older lists accumulated over a longer period of time. There could thus be a link to hacks of sites unrelated to Gmail or any of Google’s services, especially if users are choosing the same usernames and passwords for other accounts, as well as phishing attacks.
As a result, this leak likely affects significantly fewer than 5 million users. Many have likely changed their passwords, and certain entries could be for suspended accounts, duplicates or simply outdated.
If you want to check whether your account is included in the leak, you can head to isleaked.com and input your email address (English translation here). We wouldn’t necessarily recommend doing so, however (email addresses could always be accumulated for later spamming): changing your password regardless of whether you’re on the list or not can’t hurt.
China Watch Blog has learnt that as with every year over this transitional period, tens of thousands of recently graduated young people take their first tentative steps into the employment market, swelling the ranks of job seekers. Faced with increased competition and globalised hiring practices, new certificate holders are expected, now more than ever, to guarantee the authenticity of their key means of communication and persuasion: their CV and academic qualifications.
Meanwhile, major universities and other educational institutions are taking charge of their destiny by combating fraud to protect their most valuable assets: the reputation of their education level and the guarantee of excellence of their alumni. To offer a concrete solution to these significant challenges, CVTrust has developed Smart Diploma™, a unique online platform for education professionals, enabling them to design, format, manage and issue digital certificates of all kinds to their communities of graduates, including diplomas, transcripts, badges or even letters of acknowledgement. This solution is in line with the inevitable trend towards digitisation, a turn that has already been taken by telecom companies, banks and public institutions.
This innovative solution delivers outstanding added value to graduates by allowing them to store their academic credential(s) in a highly secure personal encrypted electronic ‘safe’, which remains entirely under their own control at all times. This facility makes it easy to present their invaluable documents to potential employers by downloading them as a PDF, inserting a hyperlink into their CV or directly integrating them onto their social networks.
After first getting some prestigious names in the academic world on board (in Europe and across the Atlantic), including INSEAD (France and Singapore), IMD in Lausanne (Switzerland) and the MIT Sloan School of Management (Massachusetts, USA), Smart Diploma™ has continued to develop abroad, with new renowned players such as HULT (international), Mannheim Business School (Germany), Nyenrode (Netherlands), GMAC (international) and Solvay Brussels School of Economics and Management (Belgium).
“At a time when we are witnessing an unbundling of the value chain in the education sector and the democratisation of access to teaching, and when continuous training is increasingly becoming the norm, Smart Diploma™ is much more than just a secure repository for credentials. This platform is a digital passport, a true integrity label, allowing communities of graduates to value their most precious assets and ultimately opening doors to promising career opportunities”, stresses David Goldenberg, co-founder and CEO of CVTrust. “In other words, Smart Diploma™ is positioned as the critical missing link in the educator/pupil/recruiter ecosystem.”
CVTrust has recently been awarded a contract in an open tender process from the Paris-Île-de-France Chamber of Commerce and Industry, gaining access to twenty schools facing similar challenges in terms of administration, prestige and sustainable relationships with their alumni. This achievement now puts the company at the head of the pack to provide these schools with a dynamic, intelligent and user-friendly credentials management tool that has already won over eminent references on the French market, including HEC Paris, Science Po Paris, Institut Mines-Télécom, Novancia Business School, INSEEC, Studialis.
At the same time, CVTrust has launched a pilot project with a number of high schools in Paris’ region to support them in digitising their baccalaureate qualifications. This means that CVTrust is diversifying its position across numerous sectors of the educational market, reaffirming once again the universality of its solution, be it in terms of implementation (in SaaS or integrated mode), markets, issuers of qualifications (initial and continuing educational institutions) or compliance with privacy regulations (European and American markets).
In addition to being an ingenious service to kick-start your working life and pursue your career under optimal conditions, Smart Diploma™ constitutes a valuable promotional tool for graduates to demonstrate their acquired qualifications as well as for institutions to enhance their visibility and reputation. Indeed, it is possible to endorse the diploma with a banner (Smart Ads™) that redirects visitors to the website of the issuing institution, if desired by the latter. This provides the best possible exposure via the qualifications of the institution’s ultimate and most loyal ambassadors, setting in motion a real relationship of trust between the institution and its alumni.
CVTrust has also carved out a position as the ideal partner for MOOCs (Massive Open Online Courses) and LMS (Learning Management Systems) by integrating Smart Diploma™ into their e-learning platform so that they can provide certificates to their thousands of subscribers in the most convenient, transparent and secure way. In addition, a recent collaboration with a renowned professional social network allows alumni (Smart Diploma™ holders) to post their official digital credentials in the appropriate slot on their personal profile, without tedious manipulation and in a completely safe manner, allowing recruiters to verify the integrity of the uploaded documents beforehand and in a single click.
“According to our calculation, the fraud of one’s expertise costs European companies an average of 8 billion Euro a year, while American companies face a loss of 7.7 billion dollars. Consequences can be tragic, be it on the operational level for the employer or in terms of reputation and therefore professional future for the ‘cheater’”, concludes Pierre-David Dewaele, co-founder and CTO of CVTrust. “Smart Diploma™ constitutes a true shield against falsification, re-establishes confidence in the work sector and allows for an good return on investment for our clients as they can easily and rapidly save money on administration, logistic, printing and communication cost items.”
China Watch Blog has learnt that a Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”
Mr. Holden, who is paid to consult on the security of corporate websites, decided to make details of the attack public this week to coincide with discussions at an industry conference and to let the many small sites he will not be able to contact know that they should look into the problem.
There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.
China Watch Blog has learnt that a Japanese man suspected of possessing guns made with a 3-D printer has been arrested, reports said Thursday, in what was said to be the country’s first such detention.
Officers who raided the home of Yoshitomo Imura, a 27-year-old college employee, confiscated five weapons, two of which had the potential to fire lethal bullets, broadcaster NHK said.
Japan Today reported that they also recovered a 3-D printer from the home in Kawasaki, Kanagawa Prefecture, but did not find any ammunition for the guns, Jiji Press reported.
It is the first time Japan’s firearm control law has been applied to the possession of guns produced by 3-D printers, Jiji reported.
The police investigation began after the suspect allegedly posted video footage on the Internet showing him shooting the guns, the Mainichi Shimbun said on its website.
Officers suspect that he downloaded blueprints for making the guns with 3-D printers from websites hosted overseas, the newspaper said.
The daily said the suspect largely admitted the allegations, saying: “It is true that I made them, but I did not think it was illegal.”
The police refused to confirm the reports, although broadcasters showed footage of Imura being taken in for questioning. The rapid development of 3-D printing technology, which allows relatively cheap machines to construct complex physical objects by building up layers of polymer, has proved a challenge for legislators around the world.
Weapons assembled from parts produced by the printers are not detectable with regular security equipment, like that found at airports, leading to fears that they may be used in hijackings.
The debate about home-made guns took off last year in the United States when a Texas-based group, Defense Distributed, posted blueprints for a fully functional, 3-D-printed firearm, a single-shot pistol made almost entirely out of hard polymer plastic.
In December, the U.S. Congress renewed a ban on guns that contain no metal.
While Japanese police are armed, Japan has very strict firearms control laws and few people possess guns or have ever come into contact with them, AFP reported.
China Watch Blog reports that just three days before International Workers’ Memorial Day, honoring workers around the world who have died as a result of their jobs, two groups — Green America and China Labor Watch (CLW) — will hold a demonstration at the Apple Store on 5th Avenue in New York City to protest worker poisoning in the factories that supply Apple’s iPhones and iPads. The event will take place at 12:30 p.m. on April 25, 2014.
The planned protest stems from the “Bad Apple Campaign,” launched jointly by Green America and CLW on March 12, 2014. To date, the campaign has collected nearly seventeen thousand signatures urging Apple’s CEO Tim Cook to remove dangerous chemicals in an effort to protect the young Chinese workers who manufacture Apple’s products. See http://www.greenamerica.org/bad-apple/ for more information.
The protests’ location at Apple’s “Cube” store, near Central Park, is significant in that the store is one of Apple’s most profitable retail locations, grossing more than $350 million per year. Industry experts estimate that Apple could remove benzene and other dangerous chemicals from production for as little as $1 dollar per device.
Smartphones and other electronics are made with thousands of chemicals, many of which are known to be harmful to human health such as benzene or n-hexane. Occupational exposure to benzene can lead to leukemia. Apple is profiting at the expense of the workers who assemble their iconic products in China, even though safer chemical alternatives are available. The campaign is calling on Apple to lead the way in protecting worker health and safety.
In April 2012, Greenpeace hosted an action at this store to call attention to Apple’s wasteful energy practices. As a result, one year later, Apple announced a plan to use 100% renewable energy at its data centers.
China Watch Blog has learnt that the heart of the Internet is “bleeding” from a bug in widely-used encryption technology, according to security experts.
The online threat, code-named Heartbleed, could affect millions of Chinese computer users by exposing their passwords, credit card numbers and other sensitive information to potential theft by computer hackers.
“Heartbleed is the No. 1 online threat this year,” said Shi Xiaohong, a security expert with Qihoo 360.
Shi likened it to a “nuclear crisis in the Internet landscape” due to its potential for damage.
More than 30 percent of domestic websites requiring web log-ins — covering online payment, e-commerce, online bank and e-mail services — have been affected by the bug. Users can’t protect their information if they have used the services of websites with OpenSSL encryption technology, even if their computers are well protected by anti-virus tools, according to Qihoo 360.
The security researchers who uncovered the threat are particularly worried about the breach because it had gone undetected for more than two years. Hackers may have been exploiting the problem over that period.
Domestic websites, including Taobao, the online shopping site, and train ticket site12306.cn, and global sites such as Yahoo were found to have the bug. By yesterday evening, most websites had been upgraded to fix the bug.
“All of our websites, including Taobao, Alipay and Tmall are safe now with system upgrading,” Alibaba said.
Beijing-based Qihoo 360 sent alerts to around 120,000 website owners in China urging them to upgrade their systems.
The Heartbleed bug was found by Google Inc and US security firm Codenomicon, and prompted the US government’s Department of Homeland Security to advise businesses to review their servers to see if they were using vulnerable versions of OpenSSL, Reuters reported.
Ordinary computer users are advised to change passwords or at least not to access websites that haven’t been upgraded.
Yahoo, which has more than 800 million users worldwide, said most of its most popular services — including sports, finance and Tumblr — had been fixed, but work was still being done on other products it didn’t identify.
In a statement, it said it was “continuously working to protect our users’ data.”
China Watch Blog reports that authorities around the world should set up emergency communication teams to manage the amount of misinformation circulating on social media during disasters, terrorist attacks and other social crises.
A study on the use of social media in three major incidents, including the 2008 Mumbai terrorist attack, by Dr Onook Oh, of Warwick Business School, Manish Agrawal, of the University of South Florida, and Raghav Rao, of the State University of New York at Buffalo, revealed that Twitter is emerging as the dominant social reporting tool to report eye-witness accounts and share information on disasters, terrorist attacks and social crises as a collective effort to make sense of what is happening.
But when it is the online community who are creating and exchanging the news rather than official news channels, this can not only exaggerate the unfolding situation, but also unintentionally turn it into misinformation, diverting attention from the real problems.
Dr Oh, Assistant Professor of Information Systems, believes authorities or organisations involved in a disaster or terrorist attack need to set up an emergency communication centre to provide speedy, relevant information on the unfolding crisis and to confirm or dispel misinformation circulating on social media.
The study, which is the first application of rumour theory to social media and community intelligence, analyses three large Twitter data sets: the 2008 Mumbai terrorist attacks, where a group of gunmen killed 165 and injured 304 people, the May 2012 shooting of five people by a gunman in Seattle and the recall of four million cars by Toyota in 2009 and 2010 because of a faulty accelerator pedal.
Within minutes of the initial terrorist attack in Mumbai, a local resident posted a stream of pictures on photo sharing website Flickr. Almost concurrently, a group of people voluntarily formed a Twitter page with a link to the Flickr site and spread eyewitness accounts of the terrorist attacks with texts, photos, and links to other sources.
While the flurry of social media activity had many positive outcomes, enabling people to contact family members, encouraging blood donations and providing eyewitness accounts, it also caused many rumours to circulate.
In total 20,920 tweets were analysed on the Mumbai attacks in the study, ‘Community Intelligence and Social Media Services: A Rumor Theoretic Analysis of Tweets During Social Crisis’ published in MIS Quarterly, from the moment the terror attack occurred on November 26 until November 30.
Dr Oh said: “Natural disasters and crises such as terrorist attacks provide the optimum conditions for rumours to spread which can exacerbate the situation for emergency response operations and cause panic amongst the public. For example, during the Mumbai terrorist attacks, the police control room was flooded with incorrect reports of explosions at leading hotels.
“Misinformation on the internet was also influencing what was being reported on official news channels. In fact, the BBC was forced to admit they had made a mistake after using Twitter coverage of the Mumbai terror attacks as a source of their official news.”
Dr Oh believes the main motivation for people turning to Twitter in a crisis is to find out what is happening in their immediate area or to acquaintances, so in order to control the flow of misinformation, emergency communication centres need to be set up quickly to respond to misinformation through social media channels.
“People use mainstream media to try to make sense of the situation but it usually provides general information or repeatedly broadcasts a few sensational scenes over and over again,” said Dr Oh, who cites the US Federal Emergency Management Agency’s Rumour Control Centre website during Hurricane Sandy in 2012 as an example of one way of using emergency communication centres. “Whereas what people involved in the crisis really want is very localised information in real time to aid their decision-making. Hence they rapidly realise that mainstream media do not provide them with local information that they desperately need to overcome the extreme situation, hence, they turn to social media such as Facebook and Twitter.
“Emergency response teams need to put in place prompt emergency communication systems to refute the misinformation and provide citizens with timely, localised, and correct information through multiple communication channels such as website links, social network websites, RSS, email, text message, radio, TV or retweets.
“In cases of community disasters, emergency responders need to make extra effort to distribute reliable information and, at the same time, control collective anxiety in the community to suppress the spreading of unintended rumour information. This includes the setting up of an ‘emergency communication centre’ in the local community who would monitor social media very closely and respond rapidly to unverified and incorrect rumour information.
“Given that the motivation of rumouring is fundamentally to make sense of uncertain situations such that people can deal with a possible threat, the provision of timely and certain information may lead to successful crisis management in partnership with voluntary online citizens.
China Watch Blog reports that twenty-five distinguished scholars and internationally recognized experts have been appointed to the Global Commission on Internet Governance’s (GCIG) new Research Advisory Network (RAN).
The Global Commission is a two-year initiative launched in January 2014, by the Centre for International Governance Innovation (CIGI) and Chatham House. Chaired by Sweden’s Foreign Minister Carl Bildt, the commission will produce a comprehensive stand on the future of multi-stakeholder Internet governance.
The commission’s RAN, led by CIGI Senior Fellow Laura DeNardis, will assist in identifying and prioritizing Internet governance and Internet policy related issues within the commission’s mandate. Members of the RAN will provide expert briefings to the members of the commission and conduct research and analysis for the commission’s preparatory work and final report.
“The research advisory network will be an indispensable component of the Global Commission on Internet Governance,” said Fen Osler Hampson, co-director of the commission and director of CIGI’s Global Security & Politics program. “Under the direction of Laura DeNardis, the RAN will be of great benefit to this initiative’s critical analysis and findings. I’m grateful that these experts have agreed to participate.”
The twenty-five member network consists of:
Peng Hwa Ang
Rolf H. Weber
Christopher S. Yoo
Additional RAN members will be confirmed over time. For more information on the GCIG, including its twenty-nine commissioners and twenty-five research advisers, please visit: www.ourinternet.org. Follow the commission on Twitter @OurInternetGCIG.