A collection point
...and some of my own.
US Defense Agency Notifies Users of Serious Breach. A US government agency that provides secure communications to the White House has notified individuals of a data breach that may have compromised their personal information. The Defense Information Systems Agency (DISA), provides IT support for the President, Vice-President, US Secret Service, Joint Chiefs of Staff and others, employs around 8000 military and civilian staff. It’s also unclear whether the incident affected just DISA employees or a wider base of users of its services. Some reports have speculated that as many as 200,000 could be involved. FBI recommends using passphrases instead of complex passwords “Instead of using a short, complex password that is hard to remember, consider using a longer passphrase. This involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for you to remember.” Ring makes 2FA mandatory to keep hackers out of your doorbell account Last week, Google announced that it would soon begin forcing users of its Nest gadgets to use 2FA, and this week, security came knocking for Amazon’s Ring video doorbells. On Tuesday, Ring president Leila Rouhi said in a blog post that starting immediately, the once-optional authentication is going to be mandatory for all users when they log in to their Ring accounts. That will prevent unauthorized users from getting into Ring accounts, even if they have your username and password. US and UK call out Russian hackers for Georgia attacks The US and UK governments have both accused Russia of launching a cyber attack against the Georgian government last year. The attacks, mounted on 28 October 2019, came from Russia’s notorious GRU military intelligence unit, according to announcements from the US State Department and the UK’s National Cyber Security Centre. "This action contradicts Russia’s attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries. These operations aim to sow division, create insecurity, and undermine democratic institutions. The Russian government has a clear choice: continue this aggressive pattern of behavior against other countries, or become a responsible partner which respects international law." Data of 10.6m MGM hotel guests posted for sale on Dark Web forum The personal data of 10,683,188 MGM hotel guests that leaked sometime in or before 2017 was posted for sale on the Dark Web this week, ZDNet reports. Users included Twitter CEO Jack Dorsey, pop star Justin Bieber, and government officials from the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA). The dump included full names, addresses, phone numbers, emails and birthdays. Over 120 Million US Consumers Exposed Security company UpGuard found the misconfigured Amazon S3 bucket on February 3 this year, eventually tracing it back to market analysis company Tetrad. The result was a database of 120 million Americans including full name, gender, address and “type” of consumer. It’s unclear how long it was exposed for, although Tetrad is said to have finally closed access a week after first being notified. “As a result, data that was collected by multiple entities, and affecting with varying degrees of intensity every household in the US, was made available not just to businesses and other intended audiences, but to anyone at all.” Slickwraps says customer trust was ‘violated’ in data breach caused by glaring security holes Slickwraps is an online store that offers skins for a variety of smartphones, tablets, gaming consoles, and laptops. Slickwraps' "abysmal cybersecurity" permitted anyone to upload a file to root, leading to remote code execution (RCE) attacks and the ability to execute shell commands. A single upload.php file was at fault, In total, 857,611 customer accounts were compromised. Hackers Are Hammering The Financial Sector With Login Attacks Forbes: Over a two-year period ending in November of last year, Akamai Technologies tracked more than 85.4 billion malicious login attempts. In one example a financial firm faced 55 million malicious login attempts in a single day. Over the past few years cybercriminals have increasingly turned their attention to API (application programming interface) endpoints. Apple Just Demanded Santander And A $50 Billion US Intelligence Contractor Reveal How They Use iPhone Hacking Tech Thomas Brewster. Forbes Staff. In a move that’s sure to raise eyebrows, Apple has subpoenaed Santander Bank and the $50 billion-valued intelligence contractor L3Harris Technologies for information on their use of Corellium, Forbes has learned. In both subpoenas, which are not yet publicly available, Apple demands L3Harris subsidiary Azimuth Security and Santander provide data including: all communications between the companies and Corellium, details on how they use the iPhone-virtualizing technology, all internal communications about the use of the tech, all contracts, and all information they have on the startup’s cofounder Chris Wade. Hackers Trick a Tesla Into Going 50 MPH Over the Limit Researchers at McAfee have demonstrated a new spin on an old trick. By subtly tampering with a speed limit sign—in this case, literally adding a two-inch strip of black tape—they were able to trick the Mobileye EyeQ3 camera on a 2016 Tesla Model X and Model S into feeding bad information to the vehicles' autonomous driving features, sending both cars into a rapid acceleration. The good news is that the problem doesn't affect 2020 Teslas, which no longer use Mobileye technology. Ransomware Disrupted a Natural Gas Facility for Two Days The hackers appear not to have targeted industrial control system components specifically. They got lucky with a phishing email, and were only able to impact the Windows-based portions of the victim's network. Google Kicks Out 600 Android Apps With 4.5 Billion Downloads From the App Store Adware is like gnats: everywhere, annoying, impossible to get rid of but relatively harmless. But you still have to try, which Google did this past week by expelling nearly 600 apps both from the Play Store and its ad networks. That includes 45 apps from a single developer, China-based Cheetah Mobile. Google cited "disruptive ads" as the reason for the removal, framing it as part of a broader crackdown on fraudulent behavior. “Pending the restoration of Google collaboration,” Cheetah said, “the Company expects its ability to attract new users and generate revenue from Google may be materially adversely affected.” The company reported revenue of $258 million from “mobile entertainment” in FY2018. WhatsApp Users Beware: Here’s How Chats Are Available To Anyone Via Google Basically, the "Invite to Group via Link" feature “allows groups to be indexed by Google” and “they are generally available across the internet.” In other words, Wildon explained: “Any group link that is shared it outside of secure, private messaging can relatively easily be found and joined.” Renowned ethical hacker Jane Manchun Wong confirmed this in a tweet, adding that 470,000 search results can be found on Google for the term “chat.whatsapp.com”–a section of the URL used for WhatsApp group invites. Facebook admitted it was “surprised” that the links are indexed by Google, it said. After a slew of data scandals, privacy issues and breaches, many people don’t trust Facebook, so it might make sense to try something else. ESET’s Moore recommends using Signal or Telegram chat apps which, he says, “focus more heavily on user security and privacy.” cannot control what Google indexes. The CISA Google Chrome 80 ‘update again’ advice The United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued a notification that "encourages" users and administrators to update the Google Chrome web browser to version 80.0.3987.116. The new release for Windows, Mac and Linux users, addresses several high-rated vulnerabilities that could, the CISA warns, be exploited by an attacker to take control of the affected system. While it is unusual for a web browser to be updated so quickly after a major release, it is not unknown. In January, CISA issued similar update advice for users of Mozilla Firefox within days of the version 72 release.....Not a lot is known, publicly at least, about the vulnerabilities concerned. Russia Doesn't Want Bernie Sanders. It Wants Chaos Wired: The point of Kremlin interference has always been to find democracy’s loose seams, and pull. The Washington Post first reported Friday, US officials warned Bernie Sanders that Russia is “attempting to help” his presidential campaign. It also shouldn’t be read as any kind of endorsement. Lawsuit Claims Google Collects Minors’ Locations, Browsing History “Google Education is now used by more than 80 million educators and students in the United States… essentially giving Google sole and exclusive access to millions of students’ digital lives and their personal data,” according to the lawsuit, filed on Thursday. “More valuable still, Google has captured generations of future customers who are trained to use Google’s platform as early as kindergarten.” The lawsuit claims that when students log into their Chromebook, the Chrome Sync function – which is used by Google to sync apps, auto-fill information, and more – is turned on by default. The feature then automatically starts uploading Chrome usages data to Google servers, including online browsing habits, web searches and passwords. If true, this level of data collection would be a blatant violation of the Children’s Online Privacy Protection Act (COPPA), which requires parental consent for the collection and use of that personal data if a user is under the age of 13. It would also violate the Family Educational Rights and Privacy Act (FERPA), a federal law that governs the access to educational information and records by public entities. |
Linking the world
Sharing is caring Archives
May 2024
Categories |