A collection point
...and some of my own.
VIZIO TO SEND CLASS NOTICES THROUGH THE TVS THAT SPIED ON VIEWERS
Danny Bradbury: Visio TVs included a feature – switched on by default in 11 million devices – called ‘Smart Interactivity’, which tracked its customers’ viewing habits. Vizio’s Inscape data services operation collected data including snippets of the programs that the viewers watched, with the date, time, channel, and whether they were viewed live, or as recordings. It also gathered data on services such as Netflix, along with data from DVDs and streaming devices. In short, if you watched it on a Vizio TV, Vizio knew about it. The company then linked that data to your IP address and sold the whole package to advertisers, who could then combine it with information about other devices associated with that IP address. So if, as most of us do, you connected your phone or your home computer to your home Wi-Fi network, advertisers could use your viewing data to serve you ads via those devices too. Affected parties may be entitled to compensation. YOUNGER USERS 4 TIMES MORE LIKELY TO DELETE THE FACEBOOK APP, STUDY SHOWS Post-Cambridge Analytica, Facebook users have been taking a break from their relationship with the “we didn’t know what all those apps were doing with our users’ data..” platform. According to a survey, conducted from 29 May to 11 June, 2018 by the Pew Research Center, 42% of adult users – those 18 and older – have taken a break from checking the platform, for several weeks or more. The Pew Research Center study also found that 44% of younger users (ages 18 to 29) say they’ve deleted the Facebook app from their phone in the past year, which is four times the share of users aged 65 and older who’ve done it. POTENTIAL HURRICANE FLORENCE PHISHING SCAMS The Department of homeland Security National Cybersecurity and Communications Integration Center warns us all to remain vigilant for malicious cyber activity seeking to exploit interest in Hurricane Florence. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a subject line, attachments, or hyperlinks related to the hurricane, even if it appears to originate from a trusted source. BRITISH AIRPORT TAKEN OFFLINE BY RANSOMWARE. Phil Muncaster: Normal service finally resumed at Bristol Airport Sunday after two days of ransomware-related outages caused a blackout of flight information screens. Staff were forced to hand-write regular updates on whiteboards to provide passengers with crucial information on flight arrival and departure details. Additional airport staff were deployed to help answer questions from anxious travelers. HOW TO CRASH AND RESTART AN IPHONE WITH A CASCADING STYLE SHEET (CSS) BASED WEB ATTACK Security researcher Sabri Haddouche tweeted a link to webpage containing a 15-line proof-of-concept attack, which exploits a vulnerability in the WebKit web rendering engine used by Apple’s Safari browser. Haddouche demonstrated that the Safari browser could be easily overloaded by applying a CSS background-filter property to over nested 3,000 <div> tags. As the WebKit’s rendering engine consumes resources, iOS eventually freezes and devices can crash and restart. The good news is that the weakness cannot be exploited to steal information from iPhone and iPad users. However, it could be used in a “denial-of-service” type of attack, effectively stopping a device from working. Haddouche has informed Apple about the vulnerability, which is believed to be investigating. MORE DETAIL ON THE EQUIFAX HACK Equifax was unsure how much data had been stolen during its 2017 mega-hack so its IT staff spent weeks rerunning the hackers' database queries on a test system to find out. That's just one intriguing fact from the US Government Accountability Office's (GAO) report, Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach, dated August but publicly released this month. Ironically, the security breach was only picked up when someone updated an expired certificate on a piece of kit that was supposed to be monitoring outbound encrypted traffic, and immediately noticed something was wrong. With that device effectively switched off for 10 months due to the expired certificate, “during that period, the attacker was able to run commands and remove stolen data over an encrypted connection without detection,” noted the auditors. Equifax did get lucky on one score: had the attackers erased the logs, reconstructing their actions could have been much harder. Even getting that far required Equifax’s IT team to rerun the as much of the attack as they could using a test copy of the database against which the thousands of known queries were run. It might at least start to explain why Equifax took until September 7 to reveal the network breach despite knowing about it for weeks. What’s striking from the GAO report, however, is how small individual errors and oversights in a company with plenty of resources can lead to the data of nearly 150 million people ending up in the hands of bad people. AMAZON STAFF SAID TO BE TAKING BRIBES TO LEAK DATA WSJ: In exchange for payments ranging from roughly $80 to more than $2,000, brokers for Amazon employees in Shenzhen are offering internal sales metrics and reviewers’ email addresses, as well as a service to delete negative reviews and restore banned Amazon accounts, the people said. Amazon is investigating several cases involving employees, including some in the U.S., suspected of accepting these bribes, according to people familiar with the matter. This story is a good reminder for all of us that not all data leaks occur because a hacker has managed to find a way to breach your network security. Often the biggest problem is not the threat of external hackers, but rather internal staff to whom you have granted access to sensitive data and who might be tempted to exploit it for financial gain. NEW FEDERAL LAW MAKES CREDIT FREEZES FREE FOR ALL CONSUMERS Remember: starting next week (September 21st.), consumers will be able to “freeze” their credit reports at no cost. A credit freeze restricts public access to your credit report, making it much more difficult for identity thieves to open fraudulent accounts. BIZARRE BOTNET INFECTS YOUR PC TO SCRUB AWAY CRYPTOCURRENCY MINING MALWARE Charlie Osborne: Researchers say that a new threat, Fbot, appeared on the radar last week and it appears the only job this botnet has is to chase down systems infected by another botnet, com.ufo.miner, a variant of ADB.Miner. ADB.Miner has been active of late. The botnet targets Android devices-including smartphones, the Amazon Fire TV, and set-top boxes for the purpose of cryptojacking and covert Monero mining with the help of the Coinhive mining script. The way Fbot and ADB spread is very similar. Port TCP 5555 is scanned and, if open, a payload executes scripts which download and execute malware, as well as establish a channel to the operator's command and control (C2) server. However, in Fbot's case, the bot uninstalls ADB mining scripts and cleans the system. Fbot has not currently been seen running any cryptojacking software, so its purpose may be to wipe away the competition, with the aim to infect devices with its own scripts or malware in the future. STATE DEPARTMENT SCORES AN “F” ON 2FA SECURITY Danny Bradbury: Five Senators discovered that the State Department is breaking the law by not using multi-factor authentication (2FA) in its emails, so sent a letter to Secretary of State Mike Pompeo, referencing reports from federal auditors that the Department of State was failing to meet basic federal cybersecurity standards. The General Services Administration (GSA), which is the US department dealing with government procurement, property management and information delivery, analyzed federal cybersecurity this year and found that the Department of State had deployed “enhanced access controls” across only 11% of required agency devices. Federal agencies in the Executive Branch are legally required to enable 2FA for any accounts with elevated privileges under the Federal Cybersecurity Enhancement Act, passed as part of an omnibus spending bill in December 2015. Apple (Finally) Removes MacOS App Caught Stealing User Browser Histories
Apple has removed a top-rated ad blocker from its official Mac App Store after a security researcher discovered it to be quietly collecting and sending detailed user-browsing histories to a domain based in China. The $4.99 Adware Doctor was until Friday morning listed as the fourth highest-selling app and top-grossing software product in the category of "paid utilities" in the Mac App store. Its stated purpose is to protect users from malware and having adware served on their browsers. But the app has also been silently exfiltrating browser histories and other sensitive data from systems on which it is installed, says Patrick Wardle, founder and chief research officer of Digita Security and creator of Objective-See, a website for Mac security tools. "It also collects system info, a list of the users’ currently running processes, and also certain types of files that users have downloaded. It tries to access the user's App Store history — but I believe a bug causes this to fail," he says. In a blog post Friday, Wardle said he had contacted Apple about the issue one month ago and informed the company about the app's behavior. Even two years ago, in 2016, another security researcher had raised concerns about the same application trying to trick users into granting it administrative privileges on their devices, he said. But up until Friday morning, Apple had not removed the app despite long promising to investigate, Wardle said. 2018 Cost of a Data Breach Study by the Ponemon Institute This year’s study reports the global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent year over year to $148. US Elections Must Go Back to Paper Phil Muncaster: US voting infrastructure should return to paper ballots by the next presidential election, according to a major new report from the non-profit The National Academies of Sciences, Engineering, and Medicine. Commissioned by the non-profit Carnegie Corporation of New York and charity the William and Flora Hewlett Foundation, the two-year report concluded that online voting apparatus is too exposed to potential compromise. Citing nation-state infiltration ahead of the 2016 presidential election, it warns that “aging equipment and a lack of sustained funding” have further undermined efforts to maintain resilience. Ideally by the mid-terms later this year but certainly by the next presidential election in 2020, all US local, state and federal elections should return to human-readable paper ballots, the report argued. Not only this but marked ballots should also not be sent over the internet or any connected network, as no technology can currently guarantee their “secrecy, security, and verifiability.” How refusing to give police your Facebook password can lead to prison BBC UK: A 24-year-old murder suspect was sentenced to 14 months in prison on Friday for refusing to hand over his Facebook account password to detectives who are investigating the death of 13-year-old schoolgirl Lucy McHugh. Stephen Nicholson, a friend of the family who’d been staying with Lucy's family was allegedly in contact with Lucy the morning of her disappearance. Police took him into custody and asked him – twice – for his password so they could check out the alleged conversation and whatever other content might help the investigation. Nicholson argued that giving police access to his private Facebook messages could expose information relating to his cannabis use. Nicholson has been jailed not for the murder, but for his refusal to cooperate with the detectives. He pleaded guilty to failing to disclose access codes to an electronic device under the UK's Regulation of Investigatory Powers Act (RIPA). How to steal a Tesla Model S in seconds According to Researchers at the KU Leuven University in Belgium, the Tesla Model S key fobs send out an encrypted signal, based on a cryptographic key, to a vehicle's radio system to initiate the lock/unlock process. However, the academics discovered that the fobs, manufactured by Pektron, only use 40-bit ciphers to encrypt messages. In cryptographic circles, this indicates very weak encryption which is easy to crack. The researchers were able to compute all possible keys for code pairs and created a table of possible combinations. Once codes were cloned from a nearby key fob using the radio kit, they were able to spoof keys in only 1.6 seconds. Social Security numbers exposed on US government transparency site The US government exposed dozens of people’s personal details, including social security numbers, due to an online mishap on a public transparency portal. FOIA.gov, a site that centrally administers freedom of information act requests, had been serving up the information for weeks, CNN reported last week. People use the site, operated by the Environmental Protection Agency, as a single go-to source for requesting information from the government. They can submit requests concerning everything from data about criminal cases through to government expenses through the portal. The site then routes information requests through to the appropriate agencies and delivers the results. The problem stemmed from a software bug in the site’s search facility. This allows people to search existing FOIA requests and find out who has requested information about what. These records include personal details that the site normally withholds until the originating agency gives permission to reveal it. The agency is working with others to re-mask the sensitive data apparently exposed after a software upgrade. Ungagged Google warns users about FBI accessing their accounts The notice looks like this: "Google received and responded to legal process issue by Federal Bureau of Investigation compelling the release of information related to your Google account. A court order previously prevented Google from notifying you of the legal process. We are now permitted to disclose the receipt of the legal process to you." Some of those who received the notice from the newly ungagged Google said that they consider the mystery solved: they had purchased LuminosityLink, which may well have caught the attention of the FBI. Luminosity Link was sold as a legitimate tool for Windows admins to “manage a large number of computers concurrently”. On the flip side, it was also a cheap, easy-to-use, multi-purpose pocket knife with a slew of malware tools you could bring into play. Gabriel Ramsey, a lawyer with a specialty in cybersecurity and internet law, said that “just buying a tool like LuminosityLink doesn’t determine guilt”. Vodafone: You used 1234 as your password and were hacked? You cover the cost Charlie Osborne: If you use a simple, easy-to-guess password such as "QWERTY" or "1234," you might pay for your mistake by having someone access your online accounts without permission -- and you may also find yourself paying out for subsequent damages and lost funds. That is, if European Cellphone carrier Vodafone reportedly has its way. Two men were able to access customer accounts by using "1234" as a password, enabling them to order new SIM cards without permission which were picked up at local branches. the SIMs were used for gambling services. A Vodaphone spokesman said: "We were sorry to hear that some of our customers fell victim to targeted fraudulent activity by criminals. We make it very clear to all our customers that they need strong, unique passwords to protect themselves from this kind of criminal behavior. " Just one problem… Independent research has confirmed that the portal's inherent security is poor as a password can only consist of four to six numbers and is trivial to hack. NYPD and IBM Built a Skin-Tone Recognition Algorithm for CCTV Footage George Joseph, Kenneth Lipp: An object-recognition software IBM developed for use in self-driving cars morphed into a security surveillance tool in recent years. The Intercept (TheIntercept.com) reports that, according to documents and interviews with former IBM engineers, the NYPD gave IBM video and images from CCTV cameras placed all around New York City, enabling the tech company to refine image recognition search by facial features, including skin tone and body type. The NYPD began using the technology in 2010. In 2016 or early 2017, IBM reportedly upgraded the NYPD’s algorithm to explicitly search for people by ethnicity. The Intercept reports the software is also being used by a university in California. Civil rights advocates call the report alarming. |
Linking the world
Sharing is caring Archives
May 2024
Categories |