A collection point
...and some of my own.
OK, same old shoes, but we do have some new news for you"s". Android 11 system update from Google adds privacy controls By Leo Kelion: New privacy controls and a screen-recording tool are among features being added to Android phones in the latest major update to Google's mobile operating system (OS). Android 11 also makes it easier to keep track of chat messages across multiple apps, and control smart home gadgets. Google has made efforts to encourage third-party device manufacturers to roll out its system updates more quickly than they used to. But some brands lag behind others. The tech giant has said that in addition to its own Pixel brand, the following firms would be the first to offer downloads of Android 11: OnePlus Xiaomi Oppo RealMe Nokia has also tended to be an early adopter, while Samsung, Huawei and LG typically take a little longer to adapt new features to their own user interfaces. In any case, one expert said the fact that Google had detached app and security updates from its major system releases a while back meant delays were now less of an issue than they had once been. "There's a lot of features that drip into Android phones across the year via app updates, which happen independently of the manufacturers," explained Chris Hall from the tech review site Pocket-lint. "That contrasts with Apple's iOS, where iPhone users wait for a big dump of features to happen all at once." Users can now control smart home gadgets from different brands via a single screen rather than multiple apps Even so, Mr Hall acknowledged that some of the privacy changes could prove timely. They include: the ability to give apps single-use - rather than perpetual - access to a device's microphones, cameras and location a permissions auto-reset function that retracts apps' access to such functions if they have not been launched for a few months limiting apps to launching the phone's built-in camera app rather than a third-party alternative. This has been done to close a loophole that allowed some developers to harvest location data without the user's say-so "People often grant permissions without realizing what they are doing as they just click on an option to accept all features, allowing an app to go off and do what it wants," commented Mr Hall. "So building in one-time permissions is actually quite a big deal, especially after some high-profile cases of microphones and cameras being accessed without users realizing what was going on." Connected cars Many of Android 11's other changes are focused on trying to simplify use of a smartphone. A smart devices feature, for example, lets owners call up controls for all their connected devices in one place by holding down the power button. Another tool is designed to help users manage multiple messaging apps, such as Facebook Messenger, Android Messages, Twitter, WhatsApp, Slack and Telegram. Posts received via all these platforms are now grouped together in a new "conversations" section of the notifications screen that appears when you swipe down from the top of the phone's display. This separates them out from other types of alerts, helping owners avoid missing an important message. Users can also give certain chats priority over others, so they appear at the top of the screen and can still pop up when the device is put in Do Not Disturb mode if desired. In addition, new Chat Bubbles can be set to appear above other apps, allowing users to quickly respond to friends' queries via a floating panel. This avoids them having to switch out of the app they were using at the time in order to respond. Chat Bubbles allow conversations to be carried out in floating panels that appear above apps updated to support the facility Devices also gain the ability to natively record the screen without having to install a dedicated app, mirroring a feature already available on iOS. This could be useful for capturing game footage or recording a video chat. And the update should also allow all smartphones running it to connect via wi-fi to car entertainment systems powered by Android Auto. Until now only Pixel and Samsung phones could do this, meaning users of other brands had needed to resort to a USB cable if they wanted to stream music, have chat messages read aloud via the vehicle's speakers or get-real time alerts on their navigation display. TikTok Rejects Microsoft Offer, Oracle Sole Remaining Bidder The Wall Street Journal and The New York Times reported that Oracle had won the bidding war, citing people familiar with the deal, although the company did not immediately confirm that to AFP. But two Chinese state media outlets -- CGTN and China News Service -- said Monday that ByteDance will not sell TikTok to Oracle either, citing unnamed sources. Microsoft had indicated at the beginning of August that it was interested in acquiring TikTok's US operations, but announced Sunday that bid had been rejected. "ByteDance let us know today they would not be selling TikTok's US operations to Microsoft," it said in a statement. A deal with Microsoft could also have included Walmart, which joined forces with the tech giant during negotiations. Ives said that even with Microsoft out of the picture, "while Oracle is technically the remaining bidder, without willing to sell its core algorithm we see no TikTok sale on the horizon." "Given the need now to get a green light from Beijing after its export rules were changed a few weeks ago, TikTok's days in the US likely are numbered with a shutdown now the next step." Misconfigured Database Leaks 370 Million Dating Site Records With Dating site use skyrocketing during the pandemic it's only to be expected that someone would set the database to open, light it up pn a public facing interface and walk away. So it was that vPnMentor stumbled across Mail-fire's Elasticsearch 882 Gb database comprising over 70 dating websites worth of data. Although the DB only had 4 days or records, they included: full names, ages and dates of birth, gender, email addresses, locations, IP addresses and profile pics were exposed, as well as potentially embarrassing conversations between dating site users occurring in 100 countries. Reading through some of the data, a large number of the dating websites appeared to themselves be scams, with false photos and misleading billing statements. Love is never easy. US: As Election Day Nears, Kremlin Leans on Hackers-for-Hire Jack Monahan: the “big-four” (Russia, China, Iran, North Korea), nations in the Middle East, Asia, and South America are showing evidence that hacker-for-hire groups are on the rise. With a little over fifty days until election day, the U.S. Department of Justice (DOJ) on Thursday charged Artem Mikhaylovich Lifshits, a Russian national, for his alleged role in a conspiracy to use the stolen identities of U.S. persons to open fraudulent accounts at banking and cryptocurrency exchanges. Why online voting is harder than online banking Tim Lee: Every electronic transaction in the conventional banking system is tied to a specific sender and recipient who can confirm that a transaction is valid or raise the alarm if it isn't. Banks count on customers to periodically review their transactions—either online or in paper statements—and notify the bank if fraudulent transactions occur. By contrast, elections are supposed to be secret. In-person elections don't just allow voters to cast a secret ballot, they typically require them to do so. Mandatory secrecy insulates voters from coercion. Banks' security efforts are also aided by the fact that people hacking financial networks are typically trying to divert stolen funds to themselves. Often banks can "follow the money" to figure out who was responsible for a particular hack, recovering the stolen funds and deterring others from trying a similar attack. Bank hacking is also of little interest to foreign governments, most of which have plenty of money. Election hacking is different. We talk metaphorically about people "stealing" votes, but someone hacking an election isn't trying to directly profit from their hack. This means that the authorities can't follow the money to identify suspects. When fraudulent transactions are flagged after the fact, banks automatically credit lost funds back to customers. They try to identify the culprits and make them pay, but if that's not possible, banks absorb the losses themselves. This approach is totally unworkable for voting. Voting officials can't issue voters after-the-fact credits for their stolen votes the way banks do for stolen funds. An election needs to produce a definitive result that is quickly and widely accepted as legitimate. Even a small number of fraudulent votes could flip the results of an election and destroy public confidence in the voting process. Major elections, including the US presidency, have been decided by a few hundred votes out of millions cast. So a voting infrastructure needs to be a lot more secure than our online banking infrastructure. Researcher kept a major Bitcoin bug secret for two years to prevent attacks Catalin Cimpanu for Zero Day: In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue. INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of the server's memory resources, which would eventually crash impacted systems. "At the time of the discovery, this represented more than 50% of publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges," Fuller said in a paper [PDF] published on Wednesday. Furthermore, INVDoS also impacted more than Bitcoin nodes (servers) running the Bitcoin Core software. Bitcoin nodes running Bcoin and Btcd were also impacted by the same bug as well. Other cryptocurrencies that were built on the original Bitcoin protocol were also impacted, such as Litecoin and Namecoin. The INVDoS bug was reported to all the responsible parties and patched, at the time, under the generic identifier of CVE-2018-17145, which didn't include that many details, so as not to tip off attackers. Full details about the entire INVDoS vulnerability were published last week, so other cryptocurrencies that forked older versions of the Bitcoin protocols could check and see if they were impacted as well. "There has not been a known exploitation of this vulnerability in the wild. Well, not as far as we know." 2020-09-09: HOT WALLETS COMPROMISED – OFFICIAL ANNOUNCEMENT Eterbase admits its systems were compromised with funds said to be worth $5.4m taken by hackers. "We want to inform our users that we have enough capital to meet all our obligations. At the same time, we want to reassure everyone that this event won't stop our journey. After the security audit of renowned global companies, our operations will continue. We will announce the date of the re-opening of the ETERBASE Exchange platform as soon as possible. Best regards, ETERBASE Team" Development Bank of Seychelles Hit by Ransomware Established in 1977, Development Bank of Seychelle is majority owned by the government of Seychelles, but it is non-budgetary dependent and operates on a commercial basis. “Since September 9 2020, Central Bank of Seychelles has been engaging with Development Bank of Seychelles to establish the exact nature and circumstances of the Ransomeware incident and closely monitor the developments, including the possible impact on the Development Bank of Seychelles' operations,” the bank said in a Friday announcement. The bank has yet to reveal whether customer data was compromised in the incident. Many of the ransomware attacks over the past couple of years, however, did result in sensitive data being stolen, to entice victim companies into paying the ransom. School's out for ransomware Iain Thomson for The Register: Students in Hartford, Connecticut, got an extra day of holiday after the school system was taken down by ransomware. The malware borked key logistics systems on Tuesday in the US city. Hartford Mayor Luke Bronin said the infection was “significantly limited” due to computer security systems installed last year. Schools were back up and running the following day, though we're sure students appreciated their digital snow day. UK: Travel Sites Riddled with Hundreds of Vulnerabilities Phil Muncaster: UK-based consumer rights group Which? and tech consultancy 6point6 studied 98 travel sector companies, probing websites, subdomains, employee portals and other web properties with lawful online tools. They found Marriott-owned websites were riddled with 497 bugs including over 100 assessed to be “high” (96) or “critical” (18). Some of these could have allowed an attacker to target users and their data, Which? said. “We reported our findings directly to Marriott (as we did with all the five providers in our snapshot test) and it said that it had ‘no reason to believe’ that its customer systems or data had been compromised,” Which? explained. Marriott is facing a large fine from regulator the Information Commissioner’s Office (ICO) after last year revealing a historic breach of 339 million customers’ data. Airline easyJet, which this year revealed a breach affecting nine million customers, was found to have 222 vulnerabilities across nine web domains, including one critical bug that could allow an attacker to hijack users’ browsing sessions. The firm apparently took three domains offline and remediated the disclosed vulnerabilities on the other six sites. British Airways was found to have 115 vulnerabilities on its websites including 12 judged to be critical. Although most of the issues identified were thought to be related to running old versions of software, the carrier gave no indication in its response to Which? that they would be updated. BA famously exposed the details of around 500,000 customers to Magecart attackers last year, in an incident which could also land it a major fine from the ICO. Elsewhere there were 291 potential vulnerabilities found at American Airlines, and a critical vulnerability at Lastminute.com which could allow attackers to create fake log-in accounts. “Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cyber-criminals,” argued Which? Travel editor, Rory Boland. .
UK: London Charing Cross Gender Identity Clinic Data Leak Victims Could Claim £30,000 in Damages Last year the Charing Cross Gender Identity Clinic sent out mass emails to people using the CC function instead of the BCC function, mistakenly revealing the names and email addresses of close to 2000 people on its email list. This year they could be looking at damages of up to UK£30K+ per person with legal firms still offering to represent those affected. CL: BancoEstado, one of Chile's three biggest banks, was forced to shut down all branches on Monday following a ransomware attack that took place over the weekend. "Our branches will not be operational and will remain closed today," the bank said in a Details about the attack suggest the bank's internal network was infected with the REvil (Sodinokibi) ransomware. Probably through a Word document a backdoor was installed which was used to access the bank's network and install ransomware. Thankfully, the bank had a segregated network in place so the bank's website, banking portal, mobile apps, and ATMs were all untouched. Now we wait to see if BancoEstados data turns up on the REvil Ransomware leak site. AU: Service NSW reveals 738GB of customer data was stolen during email breach Aimee Chanthadavong: Service NSW has revealed that the personal information of 186,000 customers was stolen because of a cyber attack earlier this year on 47 staff email accounts. Following a four-month investigation that began in April, Service NSW said it identified that 738GB of data, which compromised of 3.8 million documents, was stolen from the email accounts. "The data is made up of documents such as handwritten notes and forms, scans, and records of transaction applications. "Across the last four months, some of the analysis has included manual review of tens of thousands of records to ensure our customer care teams could develop a robust and useful notification process. "We are sorry that customers' information was taken in this way." Last week, it was revealed information on thousands of New South Wales driver's licence-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open. Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver's licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached. UK: Newcastle University hit by cyber attack "Our teams are working with a number of agencies to address the current issues and are taking further measures to secure the IT estate. The nature of the problem means this will be an on-going situation for some time and it will take several weeks to address. Please be aware: * Many IT services are not operating and will remain that way for the duration. * IT services that are operating may need to be taken down without notice. * Colleagues may lose access to their IT accounts without notice and they may not be re-enabled quickly. * NUIT may need access to any IT system you keep or use. * We may need to remove PCs, servers or other devices if we find out they are impacted, in order to carry out detail investigations" Both the Information commissioner's Office and the Police have been notified in what appears to be a ransomware attack. US: Critical Infrastructure and Cyber-Physical Security Tara Seals: As 5G accelerates the integration of Internet of Things (IoT) devices onto and into systems and previously non-integrated networks the responsibilities of CEOs are increased, especially in areas where life and death systems are incorporated. These convergences are mainly found in critical infrastructure and clinical healthcare environments for now, but will become more widely deployed with the expansion of 5G, and as innovations in the world of smart buildings, smart cities, connected cars and autonomous vehicles, and telehealth/remote surgery continue to roll out, the Gartner noted. In these environments, “incidents can quickly lead to physical harm to people, destruction of property or environmental disasters,” according to the firm. “Gartner analysts predict that incidents will rapidly increase in the coming years due to a lack of security focus and spending currently aligning to these assets.” Gartner also predicted that the financial impact of CPS attacks resulting in fatal casualties will reach more than $50 billion by 2023. This encompasses the costs for organizations in terms of compensation for loss-of-life, litigation, insurance, regulatory fines and reputation loss. “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner, in a media statement. “In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.” “Keep an eye out for any regulation that might come into force as a result of the first cyber-physical casualty,” Thielemann added. Global: Money from bank hacks rarely gets laundered through cryptocurrencies. Despite being considered a cybercrime haven, cryptocurrencies play a very small role in laundering funds obtained from bank hacks; the SWIFT financial organization said in a report last week. "Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods," said SWIFT, the organization that runs the SWIFT inter-bank messaging system used by almost all banks across the world to wire funds across borders. These traditional methods include the use of money mules, front companies, cash businesses, and investments back into other forms of crime, such as drug trade or human trafficking. SWIFT said that incidents where hackers laundered money via cryptocurrencies have been very rare. |
Linking the world
Sharing is caring Archives
May 2024
Categories |