A collection point
...and some of my own.
EasyJet reveals cyber-attack exposed 9m customers' details The Guardian: Of the 9 million people affected, 2,208 had credit card details stolen, easyJet told the stock market. No passport details were uncovered. Those customers whose credit card details were taken have been contacted, while everyone else affected will be contacted by 26 May. EasyJet did not immediately give details of how the breach occurred, but said it had “closed off this unauthorized access” and reported the incident to the National Cyber Security Centre and the Information Commissioner’s Office (ICO), the data regulator. AT&T tracked its own sales team using GPS and then secretly Charged Them For It, lawsuit claims. Daniel Gunther has sued the American telecom giant, and hopes to lead a class-action lawsuit against it in California, where he is based. He alleges the cellular network used the GPS in its cars to keep tabs on sales reps. and then withhold an unagreed $85 to $135 a month from his payroll for use of the car as one of a fleet of "In-home experts". "In-home experts" make up to 33% of their pay in upselling existing cable and phone customers, but ATT has classed them as exempt sales reps. Although ATT didn't classify him as an employee, it may be hard to make a case that workers like Gunther are independent when they have to use its cars, are under constant surveillance and spend much of their time supporting existing sales. Given that Uber and Lyft just lost similar cases in Cali. we would not bet on ATT. Criminal forum trading stolen data suffers ironic data breach John Dunn: There is a certain irony when hackers' data gets hacked. It now appears that when the FBI seized WeLeakInfo.com .... another website called WeLeakData.com also went dark. Now it seems that some of the owner's data has been found for sale on the dark web. This data turns out to contain nuggets such as email addresses of account holders, their usernames, hashed passwords, and IP addresses – pretty much what would be part of any data breach. The haul also contained private messages between the criminal members. These details could be of big interest to law enforcement and rival criminals. Illinois blames ‘glitch’ for exposure of Pandemic Unemployment Assistance (PUA) applicant Social Security numbers, private data Charlie Osborne: The Illinois Department of Employment Security (IDES) has acknowledged a security lapse that exposed the private information of independent contractors and the self-employed. Names, Social Security numbers, and other data points -- including phone numbers and addresses -- related to unemployment claims were leaked through the scheme's website, which has been set up to give gig workers access to funds if they have lost their jobs due to the COVID-19 pandemic. Over 44,000 applicants opened a claim within the first 24 hours. IDES' data leak was uncovered by a business owner who applied for benefits and realized she was able to view information belonging to others. Restriction on Chipmakers Deals Critical Blow to Huawei AP: Huawei Technologies Ltd. is one of the biggest makers of smartphones and network equipment, but that $123 billion-a-year business is in jeopardy after Washington announced further restrictions on use of American technology by foreign companies that make its processor chips. The conflict is politically explosive because Huawei is more than just China’s most successful private company. It is a national champion among industries the ruling Communist Party is promoting in hopes of transforming China into a global competitor in profitable technologies. On Monday, China’s Ministry of Commerce warned it will protect “the legitimate rights and interests of Chinese enterprises,” but gave no details of potential retaliation. Beijing has threatened in the past to issue an “unreliable entities list” that might restrict operations of dozens of American companies in China. Crypto-Miners Take Out Supercomputers Working on #COVID19 Supercomputers across Europe appear to have been targeted by cryptocurrency miners over the past few days, forcing offline key IT resources working on COVID-19 research. One of the first to report problems was the University of Edinburgh’s Archer supercomputer, which was taken offline last Monday after “a security exploitation on the Archer login nodes.” Working with the National Cyber Security Centre (NCSC), the institution has been forced to rewrite all existing passwords and SSH keys. It is still down 2020 05 18. Face masks prompt London police to consider pause in rollout of facial recognition cameras The United Kingdom has been a keen adopter of surveillance technology including facial recognition cameras in recent years, despite concerns that widespread spying erodes citizen rights to privacy. In two recent Live Facial Recognition LFR deployments, in which over 13,000 faces were scanned, six individuals were stopped -- and five of the six were misidentified. Results like that did not stop the Metropolitan police, but it seems a pandemic may do so. The police force is reportedly considering a pause on the scheme as so many in the capital are now wearing face masks. Woman stalked by sandwich server via her COVID-19 contact tracing info A woman in Auckland New Zealand told the local news outlet: Newshub that Subway required her to put her contact details on a contact-tracing form so as to place her food order. She didn’t think anything about it: we all want to stop the spread of the pandemic, after all. The form asked for her name, home address, email address and phone number, all of which she put down. Subsequently, she was contacted by a Subway employee on Facebook, Instagram, Messenger and via Text. She complained and the worker has since been fired, but she has been left with a feeling of unease that she is having a hard time getting over. Last Tuesday's Windows update ...Patched 111 different things, with 16 rated as "Critical". d! Australia wins AI 'Eurovision Song Contest' Jane Wakefield for the BBC: An Australian team has won a competition to write a hit Eurovision song using artificial intelligence. An editor for Dutch broadcaster VPRO had the idea, after the Netherlands won last year's Eurovision Song Contest. And it grew into an international effort after this year's contest was cancelled because of the coronavirus pandemic. The winning song, Beautiful the World, was inspired by nature's recovery from the bushfires earlier this year. A total of 13 teams took part, from the Netherlands, Australia, Sweden, Belgium, the UK, France, Germany and Switzerland. The Australian team, called Uncanny Valley in a nod to how humans and robots may one day merge, was made up of maths, computer-science and social-anthropology students, as well as music producers. The melody and lyrics were written by an AI system, trained with audio samples of koalas, kookaburras and Tasmanian devils. Clearview AI won’t sell vast faceprint collection to private companies Clearview AI – the web-scraping, faceprint-amassing biometrics company that’s being sued over collecting biometrics without informed consent – says it’s no longer going to sell access to its program to a) private entities or b) any entity whatsoever that’s located in Illinois. Clearview’s artificial intelligence (AI) program can identify someone by matching photos of unknown people to their online photos and the sites where they were posted. Clearview AI founder and CEO Hoan Ton-That has claimed that the results are 99.6% accurate. The company’s change of heart was revealed in court documents submitted during the course of a class action suit against Clearview that was filed in Illinois in January. It’s just one of multiple suits: Clearview’s also up against similar lawsuits in Vermont, New York and California. The Illinois suit charges the company with breaking the nation’s strictest biometrics privacy law – Illinois’s Biometric Information Privacy Act (BIPA) – by scraping some 3 billion faceprints from the web to sell to law enforcement and to what’s turned out to be a motley collection of private entities, including Macy’s, Walmart, Bank of America, Target, and Major League Baseball team The Chicago Cubs. From a court declaration by their legal counsel last Wednesday: "Clearview is in the process of cancelling the accounts of every remaining user who was not either a law enforcement body or other federal, state, or local government department, office or agency. At the same time, Clearview is in the process of cancelling all user accounts belonging to any entity located in Illinois." However, that statement doesn't quite mesh with reports that Clearview had been aggressively pursuing clients outside of law enforcement, including in law, retail, banking, and gaming, and that the company had been trying to gain traction outside of the US and Canada by pushing into Europe, South America, Asia Pacific, and the Middle East. More Chrome extensions Removed by Google Danny Bradbury: Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after security researcher Harry Denley found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users’ private keys and other secrets used to access digital wallets so that their authors can steal victims’ funds. Now Denley has found more. Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store. Google had already taken down most of the offending wallets at the time of writing, and has been generally pretty responsive. How do you keep yourself safe? Install as few extensions as possible and, despite the above, only from official web stores. Check the reviews and feedback from others who’ve installed the extension. Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates. Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change. Black Hat USA and DEF CON Cancelled Due to #COVID19 Black Hat USA and DEF CON have become the latest victims of the COVID-19 pandemic, after organizers announced plans to cancel the cybersecurity conferences and replace them with virtual events. For DEF CON, the decision has turned a long-running joke on its head. For the past few years mischief-makers have taken to the internet to spread fake news about the event being cancelled. “The #DEFCONiscanceled meme has crossed over into real life, courtesy of #COVID19,” wrote the organizers on Twitter on Friday. “In early March we had hopes that things would be stable by August. That is no longer realistic.” DEF CON 28 Safe Mode will now run online from August 7-9, with 101 orientation Thursday. “Expect events like a new on-line Mystery Challenge, a DEF CON is Canceled music album, remote CTFs like Hack-a-Sat, Villages like the Packet Hacking Village, contests like the TeleChallenge, Ham Exams, and more. We are also planning a remote movie night and drink-up.” Google Authenticator 2SV codes transferable across Android devices In celebration of World Password Day on the 7th of May), Google updated its Authenticator app to make it easier to transfer 2-Step Verification (2SV) codes from one Android device to another. Touting it as "one of the most anticipated features", the Chocolate Factory said the ability to port "2SV secrets, the data used to generate 2SV codes across devices" would be particularly useful "when upgrading from an old phone to a new phone"... but only if your new phone is an Android too. The feature is available in v5.10 of Google Authenticator. MobiFriends data on 3.6 million users available for download online Teri Robinson: The leaked personal data of more than 3.6 million users registered on dating site MobiFriends was made all the more vulnerable because the site used the notoriously weak MD5 hashing. The information posted online – including mobile numbers, usernames, birthdates and app activity – was taken during a January 2019 breach. Thunderspy: More Thunderbolt Flaws Expose Millions of Computers to Attacks The new attack method, dubbed Thunderspy, was discovered by Björn Ruytenberg of the Eindhoven University of Technology in the Netherlands. The researcher has discovered a total of 7 vulnerabilities related to improper firmware verification, weak device authentication, the use of unauthenticated device metadata, downgrade attacks, unauthenticated controller configurations, SPI flash interface issues, and the lack of Thunderbolt security when using Boot Camp, the tool that allows users to install Windows on Apple computers. Thunderbolt is the hardware interface created by Intel and Apple for connecting peripheral devices to a computer. Millions of laptops and desktop computers with a Thunderbolt port could be vulnerable to Thunderspy attacks. NBA star loses Twitter account to rude hackers Without any games to play, pro athletes are just as bored as the rest of us, and as they spend more time on social media, they are also more prone to having their accounts hijacked. Such was the case with NBA star Giannis Antetokounmpo, whose account was taken over and used to make a series of profane and insulting tweets about, among other people, the late Kobe Bryant and his daughter. "With these kinds of attacks, it is often less of a typical compromise and more of a drive-by graffiti of these accounts." Nintendo console details leak Shaun Nichols: Fans of Nintendo were treated this week to a rare look at the most basic workings of some of the gaming giant's best-known consoles. An anonymous hacker leaked some 2TB worth of source code related to the Nintendo Wii, GameCube, and Nintendo 64 designs. This cache includes Verilog code for the hardware – essentially the coded blueprints for the various chips. Malware miscreants hits German medical group European hospital operator Fresenius has become the latest organization to fall victim to ransomware. The German company, said to be one of the largest operators of private hospitals in the region, is reportedly dealing with an infection from the Snake ransomware, a relatively new malware group that exclusively targets large businesses. Cognizant counts cost of malware attack IT services company Cognizant has put an eye-watering price tag on the damage from its April ransomware ordeal. CEO Brian Humphries told analysts tuned into the company's quarterly earnings call that the clean-up from the infection would be as high as $70m. DigitalOcean Inadvertently Exposed Customer Data Last week, the company started alerting customers that some of their data might have been accessed by third-parties after a document from 2018 was unintentionally made available via a public link. “This document contained your email address and/or account name (the name you gave your account at sign-up) as well as some data about your account that may have included Droplet count, bandwidth usage, some support or sales communications notes, and the amount you paid during 2018.” The email alert also informed customers that the document had been accessed at least 15 times before the leak was noticed and plugged. UK: Cyber-Attacks on Orgs Up 30% in Q1 2020 Michael Hill: New research from business ISP specialist Beaming has revealed that the volume of cyber-attacks on UK businesses increased by almost a third in the first three months of 2020. Beaming analysts identified 394,000 unique IP addresses used to attack UK businesses in the first quarter of 2020, discovering that companies with internet connections experienced 157,000 attacks each, on average – the equivalent of more than one a minute. This rate of attack was 30% higher than the same period in 2019 when UK businesses received 120,000 internet-borne attempts to breach their systems each. Microsoft, Intel Introduce 'STAMINA' Approach to Malware Detection We couldn't resist, in part due to the fascination as to why acronyms are so important to some elements of business and military: Referred to as STAtic Malware-as-Image Network Analysis (STAMINA), the research leverages Intel’s previous work on static malware classification through deep transfer learning and applies it to a real-world dataset from Microsoft to determine its practical value. The approach is based on the inspection of malware binaries plotted as grayscale images, which has revealed that there are textural and structural similarities between binaries from the same malware families, and differences between different families or between malware and benign software. The technique is good, but only seems to work in small scale models, however the researchers have plans to increase their stamina (sampling). Sorry, we could not resist. Got a TPLink cloud camera? It might be time to patch. TP-Link has released firmware updates to address several vulnerabilities in its NC series cloud cameras, including bugs that could lead to the remote execution of arbitrary commands. CVE-2020-12109,12110,12111 all had fixes release April 29 that protect you against having the cameras taken over with commands run in the root context. You also get protection against sensitive data access on your network from the compromised device. Users are advised to install them as soon as possible to ensure that they remain protected. US: Trump signs new executive order to protect US power grid. The U.S. government appears to be concerned that foreign adversaries could be trying to plant malicious or vulnerable equipment in the country’s power grid. That is why the latest executive order prohibits the acquisition of bulk-power system electric equipment that is designed, developed, manufactured or supplied by an entity that is “controlled by, or subject to the jurisdiction or direction of a foreign adversary.” After the executive order was signed, the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) posted a tweet saying that “malicious actors have sought to leverage unauthorized access to the bulk power system against the U.S.for over a decade.” Maximator: European signals intelligence cooperation, from a Dutch perspective Bart Jacobs: 07 Apr 2020. The post-Second World War signals intelligence (SIGINT) cooperation between five Anglo-Saxon countries – Australia, Canada, the United Kingdom, New Zealand, and the United States – is well-documented. This alliance is often called Five Eyes and is based on the 1946 UKUSA Agreement. What is not publicly known so far is that there is a second, parallel, western signals intelligence alliance, namely in north-western Europe, also with five members. It has existed since 1976 and is called Maximator. It comprises Denmark, France, Germany, Sweden, and the Netherlands and is still active today. Yes the name comes from a Bavarian bier and was of an earlier time that used hardwire for encryption. Of interest also, were the countries that were not allowed to join the alliance, namely Belgium and Italy, or the fact that the Maximator alliance told GCHQ how the Argentinian cypher worked, but made them figure it out themselves, which gave the Brits the upper hand in the Falklands war. Coronavirus pandemic coincides with spike in online puppy scams The Better Business Bureau (BBB) last week raised the alarm on what it says is a spike in online puppy scams it’s seeing now that the pandemic has so many people stuck at home, wistfully imagining that it’s the perfect time to train and bond with a little fluff ball. According to the BBB, nearly 85% of people who post pictures of puppies online are just trying to scam you. The scammers have up until now charged victims for the fictitious pet, plus delivery fees, vaccines, cage fees, vet bills or all of the above. But now, they’re also trying to bilk people out of fees for “special” shipping costs, including for a made-up “COVID-19 permit” to send the pet. Business is booming due to the pandemic. Besides the BBB in the US, police have issued alerts in the UK and in Canada. How to protect yourself? Don’t pay in ways that can’t be traced. Search online for the sender’s email address or mobile phone number. Ask for copies of the pet’s inoculation history, breed paperwork and certification before agreeing to buy it. Buy your pet locally from someone you can meet in person. The ASPCA recommends that you never buy a puppy online: even if you actually get an animal, it could have been mistreated by a “puppy mill” breeder along the way. And lastly, Don’t let the crooks intimidate you. Uncle Sam to agencies: No encrypted DNS for you! The Department of Homeland Security’s (DHS) Cybersecurity & Infrastructure Security Agency (CISA) published a memorandum on April 21 warning agency CIOs that they’re legally bound to use its internal EINSTEIN network security system when resolving DNS queries. That means that they can’t yet take advantage of technologies that stop people from snooping on or even hijacking their DNS queries. EINSTEIN began as an intrusion detection system designed by the DHS’s US-CERT. Version 1 allowed the Agency to monitor traffic across all government networks, while version 2 spotted suspicious traffic. Version 3 (Einstein 3 Accelerated, or Einstein 3A), went further, preventing unwanted intrusions by known bad actors. It offers useful DHS-specific services like sink-holing that override public DNS records by blocking access to destinations that the DHS knows to be malicious. It also lets the DHS examine all DNS requests made by government users, of course. Why is the DHS reminding federal government CIOs about this now? The advisory itself points to one likely reason: browser developers are introducing support for DNS over HTTPS (DoH). Mozilla announced last September that it would be a default feature in Firefox, and Google has also announced an “experiment” with DoH in Chrome. The two organisations approach this differently, with Firefox choosing a DoH resolver of its own (Cloudflare) and Google just using the protocol if the user’s existing resolver supports it. Twitter turns off SMS-based tweeting in most countries "We’ve always been big fans of trusty SMS messaging. In fact, sending a text was originally the only way users could tweet. This is why Tweets are 140 characters — they need to fit into a text message." But last week, Twitter said on its support account that it’s killed SMS tweeting in order to keep our accounts safe, referring to SMS-enabled vulnerabilities for which it didn’t give any details. "We want to continue to help keep your account safe. We’ve seen vulnerabilities with SMS, so we’ve turned off our Twitter via SMS service, except for a few countries. Everyone will still have access to important SMS messages needed to log in to and manage their accounts." Hackers are targeting UK universities to steal coronavirus research, NCSC warns State-sponsored hackers from Russia, Iran, and China are suspected. Charlie Osborne: The coronavirus pandemic has prompted a surge in vaccine research, and whatever country makes the breakthrough will likely financially benefit due to global demand. As a result, the coronavirus research area has become competitive -- and not just for scientists. It is believed that state-sponsored groups hailing from Russia, Iran, and China have pivoted to this valuable data and are targeting British universities and research departments in increasing numbers. In April, Health Secretary Matt Hancock said the UK government was "throwing everything" at developing a COVID-19 vaccine, pledging over £40 million ($49m) to universities including the University of Oxford and Imperial College London, both of which are working to create a viable vaccine. The University of Oxford has begun human vaccine trials, and both Imperial College London and Bristol University are hoping to reach this milestone soon. Oxford University is aware of the hacking attempts -- of which it is not thought any information breaches have, so far, taken place -- and a spokesperson told the publication that "Oxford University is working closely with the NCSC to ensure our COVID-19 research has the best possible cybersecurity and protection." Xiaomi phones at the center of tracking brouhaha A Forbes report last week outlined how some Xiaomi Android phones track their owners' web browsing and online activities. It was claimed the handsets collect things like browsing history, search queries, and news feed activity, and send the data off to servers in China, even when using the bundled Xiaomi browser's private incognito mode. Xiaomi, in response, claimed it anonymizes the harvested data for performance monitoring, though it did admit that this "aggregated data collection" included URLs even in incognito mode using per-user unique ID numbers that do not frequently change. Today, the phone vendor issued an update for its Mi Browser, Mi Browser Pro on Google Play, and Mint Browser on Google Play to "include an option in incognito mode for all users of both browsers to switch on/off the aggregated data collection." Which should stop Xiaomi's software harvesting URLs and other details in private mode. Tokopedia Breach: 91 Million Records Asian e-commerce giant Tokopedia is investigating a potentially major data breach after researchers revealed that 91 million user records are up for sale on the dark web. The same actor was subsequently found to be selling a much larger data trove containing a purported 91 million records for just $5000. There appears to have been at least two buyers over the weekend. “This is really bad, make sure you change your passwords for other services in case you are re-using passwords,” advised those researching the data. India has made use of a COVID-19 contact-tracing app compulsory in some parts of the nation. The country yesterday extended its national lockdown for two weeks from today. But the extension is not total: regions that have experienced no new cases at all or none in the last 21 days will be designated “green zones”. Locales with known cases or insufficient data will become “red” or “orange” zones subject to ongoing stay-at-home orders and extensive restrictions on business activity. This new order may well be impossible to enforce because the app doesn’t run on feature phones, which comprise over half of India’s national phone fleet. However it’s not hard to see why India wants more installs: it’s had around 80 million to date, which is not just over six percent of the country’s population and not a particularly useful sample in a nation where mega-cities top the ten-million-resident mark. Additionally, the privacy policy promises data collected will only be used for anonymous heat maps and informing those who encounter COVID-19 sufferers. But the privacy policy also includes a clause saying “All personal information collected from you under Clause 1(a) at the time of registration will be retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force.” US: Spies Say Covid-19 Wasn't Man Made The Office of the Director of National Intelligence released a brief statement this week confirming that "the Covid-19 virus was not man made or genetically modified." It left open the possibility that it may have originated in a Chinese lab, but it did tamp down some of the rampant, unfounded speculation from certain conservative commentators and politicians. (The scientific community dismissed those rumors from the start, but it's nice that the spies have caught up.) The statement also comes as the White House has reportedly pressured the intelligence committee to find links between Covid-19 and China, a type of "conclusion shopping" that critics say may result in less reliable reports. EventBot Malware Steals Banking Info and Two-Factor Codes Stop us if you've heard this one: Android malware poses as a legitimate app, only to steal your credentials once installed. That's EventBot in a nutshell, according to new research from security firm Cybereason. One unfortunate added trick: EventBot also intercepts your two-factor authentication codes, meaning it can break into the accounts whose passwords it stole with relative ease. The good news is that EventBot appears not to have slipped into the Google Play Store yet, so as long as you stick to official channels you should be fine. NSO Group Employee Reportedly Spied on a Love Interest The NSO Group sells spyware to governments around the world and has been at the center of several controversies over how its software gets used. WhatsApp recently sued the company, alleging that its Pegasus malware had been used against journalists and human rights advocates. This week, Motherboard reports that several years ago an NSO Group employee used the company's powerful surveillance tools to look up a woman he knew personally. It's a jarring report and a reminder that companies too often don't put tight enough controls on who can access their most sensitive systems. |
Linking the world
Sharing is caring Archives
May 2024
Categories |