Few, if any, companies or government agencies store more sensitive personal information than the IRS, and consumers have virtually no insight into how that data is used and secured. But, as the results of a recent Justice Department investigation show, when you start poking around in those dark corners, you sometimes find very ugly things.

Beginning in 2008, a small group of people–including an IRS employee who worked in the Taxpayer Advocate Service section–worked a simple and effective scam that involved fake tax returns, phony refunds, dozens of pre-loaded debit cards, and a web of lies. The scheme relied upon one key ingredient for its success: access to taxpayers’ personal information. And it brought the alleged perpetrators more than $1 million.

The scam’s particulars are not unique. There have been a variety of similar operations that have come to light over the last few years, with IRS employees improperly accessing taxpayer records as part of a financial fraud or out of curiosity over what an athlete or actor makes. What sets this case apart is that the accused IRS employee, Nakeisha Hall, was tasked specifically with helping people who had been affected by some kind of tax-related identity theft or fraud.

From that position, Hall allegedly tapped in to the personal files of an untold number of taxpayers and used the data she found there to file false tax returns in those victims’ names. The returns would be set up in such a way that the “taxpayers” would be due refunds. Hall typically would request that refunds be put on debit cards issued by Bancorp Bank or another bank, according to an indictment issued by the Department of Justice in December. The debit cards would be mailed to addresses that Hall had access to, and then Hall’s alleged co-conspirators Jimmie Goodman and Abdullah Coleman would pick up the cards.

Source: How an IRS Employee Allegedly Stole $1 Million from Taxpayers | On the Wire

The HTTPS Bicycle attack can result in the length of personal and secret data being exposed from a packet capture of a user’s HTTPS traffic. For example, the length of passwords and other data (such as GPS co-ordinates) can be determined simply by analysing the lengths of the encrypted traffic.Some of the key observations of this attack are as below: Requires a packet capture containing HTTPS (TLS) traffic from a browser to a website The TLS traffic must use a stream-based cipher Can reveal the lengths of unknown data as long as the length of the rest of the data is known – this includes passwords, GPS data and IP addresses Packet captures from several years ago could be vulnerable to this attack, with no mitigation possible The real world impact is unknown, as there are several prerequisites that may be hard to fulfill.This leads us into interesting discussions on the resilience of passwords as a form of authentication method.

Source: HTTPS Bicycle Attack – Obtaining Passwords From TLS Encrypted Browser Requests | Websense

SentinelOne director of mobile research Tim Strazzere said he found an open socket—shell@blackphone:/dev/socket $ ls ­l at_pal srw­rw­rw­ radio system 2015­07­31 17:51 at_pal—accessible on the phone that the agps_daemon, a system-level shell is able to communicate with. The vulnerability, CVE-2015-6841, is specific to the modem used by the Blackphone, the Icera modem developed by nVidia. The manufacturer announced in May it was discontinuing its Icera softmodem business.

Strazzere said that an attacker could use a malicious app, or chain together a Stagefright-type exploit with this vulnerability, to send commands to the phone’s radio.

The result poses a number of privacy and security woes for victims; an attacker could enable call forwarding, mute the phone, or send and read SMS messages all without leaving a trace on the device.

Source: Silent Circle Blackphone Icera Modem Security Patch | Threatpost | The first stop for security news

Time Warner Cable Inc said on Wednesday up to 320,000 customers may have had their email passwords stolen.

The company said email and password details were likely gathered either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored Time Warner Cable’s customer information, including email addresses.

Source: Time Warner Cable says up to 320,000 customers’ data may have been stolen

The Israel-based duo pried apart and compromised KVMs (keyboard video mouse) units such that they could download malware and compromise attached computers.

The attack, demonstrated at the Chaos Communications Congress in Hamburg last month is notable because KVMs are used to control multiple machines. A compromised unit would not be immediately suspicious to most admins and could compromise all computers that attach to it, using those with internet links to stay updated and exfiltrate data.

The KVM would download malware from an internet-connected machine and pass it into the unit’s memory.

Source: Checkpoint chap’s hack whacks air-gaps flat

Microsoft Corp (MSFT.O) experts concluded several years ago that Chinese authorities had hacked into more than a thousand Hotmail email accounts, targeting international leaders of China’s Tibetan and Uighur minorities in particular – but it decided not to tell the victims, allowing the hackers to continue their campaign, according to former employees of the company.

Source: Microsoft failed to warn victims of Chinese email hack: former employees

This poor policy is what you get when there is no legal framework requiring disclosure.