A collection point
...and some of my own.
Data Breaches Batter Stock Prices at Public Companies, For Months Much has been made of the fallout that companies face after a data breach. But for public companies, shaken investor confidence adds a whole new dimension to recovery concerns. A recent study from Comparitech shows that share prices for large breached companies will hit a low point approximately 14 market days after an incident becomes public. Share prices fall 7.27 percent on average to reach that low, and they underperform the NASDAQ by -4.18 percent. Further, the firm found that finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected. And unsurprisingly, breaches that exposed credit-card and Social Security numbers saw larger drops in share price on average than companies that leaked less-sensitive data. The study analyzed stock performance for 28 very large companies listed on the New York Stock Exchange that have 33 well-known data breaches between them: Apple, Adobe, Anthem, Capital One, Community Health Systems, Dun & Bradstreet, Facebook, First American Financial, eBay, Equifax, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Marriott International, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone and Yahoo. All of them resulted in at least 1 million records leaked, and some (Capital One, Equifax, Target, Yahoo) are among the largest breaches in American history. In analyzing their closing share prices prior to and after the data breach incidents, Comparitech found that after about a month, share prices actually tended to rebound and catch up to NASDAQ performance on average. However, in the longer term, breached companies went on to underperform the market. This effect perhaps stems from more details on the incidents coming to light, or due to ongoing media attention or the impact of fines, according to researchers. Joker's Stash Puts $130M Price Tag on Credit Card Database Payment card data is among the most widely distributed information on the Dark Web. The breadth of data for sale in underground marketplaces can prove helpful to security teams, who can analyze this information and combine it with other threat data to learn their potential exposure and mitigate the impact of an incident, Flashpoint researchers advise in a new report. The ecosystem for stolen payment card data ranges from low-level markets selling cards recycled from past breaches, to top-tier sellers with unused card data directly pulled from a new breach. Joker's Stash is one of the most prominent payment card retailers on the Dark Web, where it has been selling credit cards from online and physical transactions since 2014. In 2015, it began to also sell personally identifiable information including Social Security numbers. A recent update on Joker's Stash arrived on Oct. 29, when it added data pertaining to more than 1.3 million credit and debit cards reportedly taken from banking customers in India. The data dump released was one of the largest in Joker's Stash's history, researchers report, with pricing information valued at $100 per card, which put the total for the database at $131 million. Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin Brian Krebbs: Based in Sunderland, VT. and founded in 1856, privately-held Orvis is the oldest mail-order retailer in the United States. The company has approximately 1,700 employees, 69 retail stores and 10 outlets in the US, and 18 retail stores in the UK. In late October, this author received a tip from Wisconsin-based security firm Hold Security that a file containing a staggering number of internal usernames and passwords for Orvis had been posted to Pastebin. Reached for comment about the source of the document, Orvis spokesperson Tucker Kimball said it was only available for a day before the company had it removed from Pastebin. “The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones,” Kimball said. “We are leveraging our existing security tools to conduct an investigation to determine how this occurred.” However, according to Hold Security founder Alex Holden, this enormous passwords file was actually posted to Pastebin on two separate occasions last month, the first being on Oct. 4, and the second Oct. 22. That finding was corroborated by 4iq.com, a company that aggregates information from leaked databases online. Orvis did not respond to follow-up requests for comment via phone and email; the last two email messages sent by KrebsOnSecurity to Orvis were returned simply as “blocked.” It’s not unusual for employees or contractors to post bits of sensitive data to public sites like Pastebin and Github, but the credentials file apparently published by someone working at or for Orvis is by far the most extreme example I’ve ever witnessed. For instance, included in the Pastebin files from Orvis were plaintext usernames and passwords for just about every kind of online service or security product the company has used, including: -Antivirus engines -Data backup services -Multiple firewall products -Linux servers -Cisco routers -Netflow data -Call recording services -DNS controls -Orvis wireless networks (public and private) -Employee wireless phone services -Oracle database servers -Microsoft 365 services -Microsoft Active Directory accounts and passwords -Battery backup systems -Security cameras -Encryption certificates -Mobile payment services -Door and Alarm Codes -FTP credentials -Apple ID credentials -Door controllers By all accounts, this was a comprehensive goof: The Orvis credentials file even contained the combination to a locked safe in the company’ server room. Texas Health Agency Fined $1.6m for Data Breach A fine of $1.6m has been meted out to the Texas Health and Human Services Commission for unintentionally exposing the personal health information of thousands of vulnerable people online. The Texan commission inadvertently made the names, addresses, Social Security numbers, and treatment information of 6,617 people visible on the internet between 2013 and 2017. The breach occurred when an internal application was moved to a public server from a private server. A flaw in the app's software then made the sensitive information visible to the public without any need for access credentials to be entered. An investigation into the breach by the OCR found the audit controls in place at the Health and Human Services Commission to be inadequate. Because of this, the federal agency was unable to come up with an exact number for how many unauthorized people had viewed the private information. A further determination of the OCR investigation was that the Texas health agency failed to conduct a risk analysis and implement access and audit controls on its information systems as required by the Health Insurance Portability and Accountability Act, commonly known as HIPAA. NSA won’t collect phone location data, promises US government The last 18 months have seen significant changes to the US’s collection of phone location data. Since 1994, law enforcement agencies in the US had been able to access court records thanks to an amendment to the 1996 Stored Communications Act. Under this legislation, a judge could give prosecutors access if they could justify that call records were relevant and material to an ongoing investigation. That all changed in a lawsuit brought by Tim Carpenter, who was convicted in 2011 after federal prosecutors trawled location cell phone data, tying his phone to the time and location of several robberies. Carpenter sued in appeals court, claiming that the trawling violated his Fourth Amendment rights. He lost on appeal, but then the case went to the Supreme Court, which ruled in his favor in a 5-4 vote. That decision stopped the warrantless collection of phone location data by police and federal law enforcement. However, since the Since the request to terminate the Call Detail Records (CDR) program, the National Security Agency (NSA) has asked that it maintain its right to reintroduce the program. GitHub launches Security Lab to boost Open Source Security When it comes to open source software security, nobody could accuse Microsoft-owned development platform GitHub of not thinking big when it came up with the idea for Security Lab. Launched last week at its GitHub Universe developer conference, the idea sounds simple enough – create a global platform for reporting and fixing security vulnerabilities in open source projects before they do serious damage. It sounds so obvious that it’s surprising that nobody’s thought of it before. That might have something to do with the size of the job, admitted GitHub’s vice president of security product management in Security Lab’s launch blog: Securing the world’s open source software is a daunting task. The JavaScript ecosystem alone encompasses more than a million projects, not helped by the 500:1 ratio of developers to security experts with the knowledge of how to fix things. To boost credibility, GitHub has already signed up big companies – namely Google, Oracle, Mozilla, Intel, Uber, VMWare, J.P. Morgan, F5, NCC Group, IOActive, Trail of Bits, HackerOne, as well as Microsoft and LinkedIn. These partnerships have already borne fruit, with these companies collectively finding more than 100 CVE-level security vulnerabilities in open source code. Anyone who joins them will qualify for bug bounties of up to $3,000, GitHub said. Security Lab is also making available a free-to-use analysis engine, CodeQL which GitHub acquired when it bought Semmle in September. So if you know of a coding mistake that caused a vulnerability, you can write a query to find all variants of that code, eradicating a whole class of vulnerabilities forever. Perhaps the simplest innovation of all is that Security Lab will operate as a CVE Numbering Authority (CNA) – a critical piece of security architecture for a project that aims to shine a wider light on security problems in open source projects. Currently, GitHub says at least 40% of security flaws affecting open source don’t receive a CVE when they’re announced, which means they are excluded from public databases that tell customers they have something to patch. Security Lab will sort this with security advisories for users of affected projects, backed by automated security updates when patches are available and a Security Advisory API to integrate the flaw database into third-party tools. GitHub also announced its Archive Code Vault. Github will provide a cold storage vault for open source code located in an underground Arctic bunker. Just like lifeforms, it turns out that code can go extinct too. If developers can’t find every flaw today, at least in years to come they’ll know where to look. Two men busted for hijacking victims’ phones and email accounts Police busted two alleged SIM-jackers in Massachusetts on Thursday and charged them with draining fat cryptocurrency wallets and hijacking social media accounts. An 11-count indictment charges the two men – Eric Meiggs, 21, of Brockton, Massachusetts, and Declan Harrington, 20, of Rockport, Massachusetts – with wire fraud, conspiracy, computer fraud and abuse, and aggravated identity theft for their alleged crime spree, which stretched from November 2017 to May 2018 and stripped $550,000 worth of crypto coins from at least 10 victims in the US. Undercover reporter tells all after working for a Polish troll farm Investigative journalist Katarzyna Pruszkiewicz spent six months working undercover, creating fake social media accounts and sending them out to troll on either side of the political spectrum, for Cat@Net – a troll farm in Wroclaw, Poland that calls itself an “ePR firm.” Together with her troll colleagues, the undercover journalist managed almost 200 fake accounts on Facebook, Twitter and Instagram, has written thousands of messages and comments, has promoted her clients’ products, has trolled their competitors, and has run hidden support campaigns for, and smear campaigns against, politicians. Some of what Pruszkiewicz, working with Polish journalism NGO Fundacja Reporterów (Reporters Foundation), discovered: Cat@Net employs a mere 14 people to run 170 troll accounts on social media. Don’t let that small workforce fool you, though: Pruszkiewicz says that this constitutes a “powerful army,” as many of those accounts have thousands of followers, and they work hard to make sure their posts are viewed as much as possible – sometimes up to tens of thousands of times. The farm has both left- and right-wing troll accounts. That makes their smear and support campaigns more believable: instead of just taking one position for a client, it sends trolls to work both sides, blowing hot air into a discussion, generating conflict and traffic and thereby creating the impression that people actually care about things when they really don’t – including, for example, about the candidacy of a recently elected member of the Polish parliament. Cat@Net’s customers include “large and small companies […] as well as other entities, including public administration institutions and private individuals.” The firm was unaware that Pruszkiewicz was an investigative journalist, since she had a “clean” online record, with no profile to identify her as such. Some of the things her fake account accordingly posted about: April is the time of a nationwide teachers’ strike in Poland; they demand higher pay. The ruling party and their public radio and TV propaganda portray teachers as parasites, losers and sly dogs. My fictitious account chooses the #notsupportingteachersstrike hashtag. I write that teachers are holding students hostage; they are selfish and that their demands are unjustified. In the coming weeks I lash out at the LGBT movement. I say that I fell asleep while watching ‘Tell No One’, a documentary about child sex abuse in Poland’s Roman Catholic Church. Two men kissing on Eurovision? That’s outrageous! How can you expose children to such content? Pride parade? – more like #PervertsParade Those kinds of posts impressed her bosses. By June 2019, after her 3-month troll trial, Pruszkiewicz had become a trusted troll. She was invited to a private Cat@Net Slack channel called “Kulawa Rebelia” – which translates as “Lame Rebellion” or “Rebellion on Crutches.” The name has to do with the fact that most of Cat@Net’s employees are believed to be disabled, which enables the company to get public subsidies from Poland’s National Disabled Rehabilitation Fund. According to the Reporters Foundation, the company has received about 1.5 million zloty (USD $388,044) from the fund since November 2015. The Guardian details one such campaign, which sought to influence what kind of fighter jet the Polish government spent its zloty on: The accounts were used to undermine public support for the Polish government’s decision to place a major order with the American contractor Lockheed Martin for the F-35 fighter jet, promoting instead the Eurofighter Typhoon. […] Cat@Net employees were reminded by their managers that “the F-35 is our enemy number one” but “don’t be too pushy with the Eurofighter, otherwise they will know they are being trolled”. Political favors, corruption, money: these are hard to disentangle. They’re all part of the same ball of wax. All those motivations well might also be at play in the fake-news industry that fake-news writers are part of. Office 365 Admins Singled Out in Phishing Campaign “Office 365 admins have administrative control over all email accounts on a domain. Depending on the current configuration of the Office 365 instance, a compromised admin account may enable retrieval of user emails, or complete takeover of other email accounts on the domain. In addition, Office 365 admins often have elevated privileges on other systems within an organization, potentially allowing further compromises to take place via password reset attempts or abusing single-sign-on systems.” Once an administrator is phished the attackers are able to set up new accounts within the compromised organization, which are then used to send out more legitimate-seeming phishing emails. “This is beneficial for attackers because many email filtering solutions leverage the reputation of a sender domain as a major component of determining whether to block an email,” said PhishLabs. “Well established domains with a track record of sending benign messages are less likely to be quickly blocked by these systems. This increases the deliverability and efficiency of phishing lures.” By setting up new accounts to carry out this phishing activity, the hackers are also more likely to stay under the radar. The phishing lures themselves are spoofed to appear as if sent by Microsoft — for example a messaging asking the recipient to sign-in to the Office 365 Admin center to update payment information. Apparently over 1.5 million malicious and spam emails were sent from thousands of compromised accounts in the space of just one month earlier this year. Attackers using WhatsApp MP4 video files vulnerability can remotely execute code Last week, Facebook said in a security advisory that the WhatsApp bug, tracked as CVE-2019-11931, is a stack-based buffer overflow issue which can be triggered by attackers sending crafted .MP4 video files to victims. While there are not many details available, the technology giant said that the problem was caused by how the encrypted messaging app parses .MP4 elementary stream metadata. If exploited, the vulnerability can lead to denial-of-service (DoS) or remote code execution (RCE) attacks. Zero-Day Exploits Earn Hackers Over $500K at Chinese Competition White hat hackers have earned $545,000 for successfully demonstrating zero-day exploits targeting products from VMware, Microsoft, Google, Apple, D-Link, and Adobe at the 2019 Tianfu Cup hacking competition that took place over the weekend in Chengdu, the capital of China's Sichuan province. The highest single reward, $200,000, was received by the team named 360Vulcan for a VMware exploit that allows an attacker to escape from the guest virtual machine to the host. VMware representatives were present at the event and confirmed that the exploit was successful against its VMware vSphere ESXi product. The company says it’s investigating the security flaws that made the attack possible and is working on addressing them. After last year’s Tianfu Cup, it took VMware only a few days to patch a $100,000-worth vulnerability disclosed at the contest. The 360Vulcan team also demonstrated attacks against Microsoft Office, Microsoft Edge, Adobe Reader, and qemu-kvm on Ubuntu. The qemu-kvm vulnerabilities earned them $80,000, Edge vulnerabilities earned them $55,000, and for the Office exploit they received $40,000. Here's How Scammers Tried to Dupe Trend Micro Customers Unlucky Trend Micro customers ensnared in the insider hack at the antivirus company are being bombarded with fake tech support calls seeking access to their computers. "The first call seemed very legitimate to me, I almost fell for it." Rona, who requested her last name be withheld, was among the estimated 68,000 Trend Micro users who had their names, email addresses, phone numbers, and customer support ticket numbers exposed in the breach. Since August, Trend Micro has been investigating why customers were receiving fake tech support calls and sourced it back to a rogue employee who was selling customer information to an unknown third party. Rona, who is based in Alberta, Canada, said she tried to warn Trend Micro about the potential hack in early October when she received a mysterious call on her cell phone from the scammers. The man, who had an "Indian or Pakistani accent," said he was contacting her on behalf of Trend Micro to report a problem with the company's antivirus software, which she's used for the past decade. The mysterious man knew Rona's name, as well as how she had recently called Trend Micro's help line to install the company's antivirus software on her mother's computer. He then asked Rona to open an email he had sent, which outlined the steps she needed to take to fix the problem. "I asked why they were not sending the fix through normal downloads. They said the servers were also infected and that is why they needed to do the fix via email, Rona said. "Since I was at work we decided that they would call me on Saturday, when I would be at my laptop." If Rona had been at her laptop when the scammer had called, she might have simply followed the man's instructions, assuming the request to be legit. But after the call, she thought the whole story of an infected Trend Micro server was suspicious. "So I phoned Trend Micro (the real company) and they told me it was scam," she said, which caused her to promptly delete the email the mysterious man had sent. Two more calls followed and then, scammers tried another tactic: bombarding her phone number with robocalls—sometimes three times a day—claiming Trend Micro was going to charge or credit her bank account, and that she need to respond. In all cases, the calls came from different numbers, making them unblockable. Users feel "It was really hypocritical of them. They put announcements on their web page about different companies having security problems, but they don't talk about their own," she said. "It feels like they are trying to hide it. There are people like my mother who could have easily fallen for this." Understanding the Ripple Effect: Large Enterprise Data Breaches Threaten Everyone Tara Seals: “Breaches against large enterprises are becoming more frequent. There are several reasons for this – notably, breaches are no longer standalone incidents, they are part of larger organized cybercrime networks, The second reason, is that the price of data is skyrocketing: Beyond data tied to financial institutions being an attractive target, so is data tied to healthcare, education, infrastructure, elections and national security. Even though we live in a “breach-of-the-week” era, where data-thieving and inadvertent information exposures have become an expected part of the landscape, large enterprises can’t afford to see data stewardship as anything other than a critical risk, experts warn. “Fortune 500 companies have a much larger attack surface,” he said. “It’s more difficult to promote an effective security culture across a base of tens of thousands of employees than for a company with only a handful. Add in the fact that people tend to reuse passwords for different services and often mix personal and corporate use of email and mobile devices, the attack surface becomes even wider. Someone using company email on an insecure personal device represents an easy path to the corporate jewels. “In most cases, carefully planned attacks can find data that is pertinent in a smaller company that is a subsidiary or a contractor to a larger enterprise. In this case the smaller company proves to be the weakest link to attain the same data.” “Large enterprises and Fortune 500s tend to have a unique risk profile in many aspects. These enterprises tend to have a lot of assets, end users and employees, making them much more lucrative target than a small organization— in a world where most data breaches are financially motivated, and selling loads of compromised personal data in the Dark Web can make a fortune.” Also, consider suppliers and partners, which can be caught in the crosshairs. IT systems consulting behemoth Wipro Ltd. in April for instance said that its network was hacked using stolen and phished credentials, and used for mounting attacks on its customers. Globally, participants consistently identified the same solutions as having the most positive impact on their organization’s ability to prevent a breach. Vulnerability management and security software took the lead (slightly above 16 percent). Employee training was the third (14 percent) followed by response plans and security hardware (both slightly above 12 percent). While the survey found that regulatory compliance is the main driver for most cybersecurity programs, the loss of sensitive data is what keeps senior executives awake at night, not fear of compliance fines. Bugcrowd breaks its weekly bounty payout record For the first time in Bugcrowd’s seven-year history it paid out more than $500,000 in bounty fees to its white hats in a one-week period. For all of October more than 550 white-hat hacker working with Bugcrowd earned $1.6 million with the top recipient taking home $40,000. “As those on the Bugcrowd platform know, and often look forward to, we pay out for valid findings on a weekly basis. We’re extremely excited to announce that we’ve hit a milestone: last week, we paid out over a half million dollars, straight to our hackers’ pockets,” said Bugcrowd’s David Baker. Lessons from the Final Season of Mr. Robot Sensitive data often resides in very mundane and easily accessible places – Some data-loss prevention (DLP) providers have estimated that nearly 90 percent of an organization’s intellectual property may reside in email. It is very hard to defend against an insider exercising legitimate privilege – It stands to reason that any user would have access to their own inbox, and it is not uncommon for users to create email archives as backups. Once the data is stolen, it can’t be “recovered” “Ambient computing” can be a significant threat to privacy and safety". The ubiquity of transmitters in all of our devices enables everything from individual user tracking to monitoring beacons from laptops to identify a car worth breaking into. Windows users lookout! New Buran ransomware-as-a-service tempts criminals with discount licenses The VegaLocker malware strain has provided the base for new ransomware-as-a-service (RaaS) Buran which is taking on competitors through discounted rates. First announced on a Russian forum, Buran operators appear to be focusing on establishing personal relationships with criminal customers. In total, 25 percent of illicit earnings made through successful infections are taken by the authors -- a substantial discount on the 30 to 40 percent usually required by RaaS operators. The rate, too, can be negotiated "with anyone who can guarantee an impressive level of infection with Buran," the researchers say. Buran is described in the advert as a stable strain of malware that uses an offline crypto-locker, 24/7 support, global and session keys, and no third-party dependencies such as libraries. The malware is also able to scan local drives and network paths and contains optional features including the encryption of files without changing extensions; removing recovery points and clearing logs; backup catalog deletion, and the means to self-delete. Buran operators claim the ransomware is compatible with all versions of the Microsoft Windows operating system, but McAfee found during its investigation that some older versions, including Windows XP, are immune. The malware will check to see if the victim machine is registered in Russia, Belarus or Ukraine, and if these checks come back positive, Buran will exit. After making sure the malware is able to create files and store them in temporary folders, Buran will create registry keys to maintain persistence, assign the victim an ID, encrypt files, and post a ransom note. Apple Mail stores parts of encrypted emails in plaintext DB Apple expert Bob Gendler discovered that the Apple Mail app available on macOS stores leaves a portion of users encrypted emails in plaintext in a database called snippets.db. The issue affects all macOS versions, including the latest Catalina. The issue is yet to be fixed and even if Apple plans to address it, the company did not provide a timeline. “But if you send encrypted emails from Apple Mail, there’s currently a way to read some of the text of those emails as if they were unencrypted — and allegedly, Apple’s known about this vulnerability for months without offering a fix.” reads a post published by The Verge. “Apple saya it’s aware of the issue and says it will address it in a future software update. The company also says that only portions of emails are stored. But the fact that Apple is still somehow leaving parts of encrypted emails out in the open, when they’re explicitly supposed to be encrypted, obviously isn’t good.” The expert discovered the issue while he was investigating how macOS and Siri suggest contacts and information to the user. “This led me to the process called , run by the system level LaunchAgent apple, and the Suggestions folder in the user-level Library folder, which contains multiple files and some potentially important database files ( files).” reads a post published by Gendler on Medium. “These are databases with information from Apple Mail and other Apple applications that enable and Siri to become better at suggesting information.” Gendler explained that Siri uses a process named “suggestd” to collect contact information from various apps. Data collected by the process are stored in the snippets.db file. The expert discovered that if the Apple Mail is used to send and receive encrypted email, Siri would collect a plaintext version of the emails storing them in the database. “Let me say that again… The snippets.db database is storing encrypted Apple Mail messages…completely, totally, fully — UNENCRYPTED — readable, even with Siri disabled, without requiring the private key. Unfortunately, disabling Siri will not solve the issue because the ‘suggestd‘ process will continue to scrape emails. The expert proposed the following three ways to disable these processes from scraping messages from Apple Mail:
Gendler also suggests to manually remove the snippets.db file that is located in “/Users/(username)/Library/Suggestions/”. Twitter Spy Case Highlights Risks for Big Tech Platforms Companies should be required to inform victims if their data has been compromised "so they can take measures to protect themselves."The allegations of spying by former Twitter employees for Saudi Arabia underscores the risks for Silicon Valley firms holding sensitive data which make the platforms ripe for espionage. The two Saudis and one US citizen allegedly worked together to unmask the ownership details behind dissident Twitter accounts on behalf of the Riyadh government and royal family, according to a federal indictment. Analysts say the incident shows how massive databases held by Silicon Valley giants can be juicy targets for intelligence agencies, which can often apply pressure to company insiders. "For companies collecting massive amounts of data, the challenge is how to keep it secure not only from hackers, but from rogue employees." Platforms such as Twitter and Facebook remain important tools for human rights activists, however users should be aware of the potential for data leaks -- both in their countries, and from insiders. It's been alarming to see how governments using tactics to exploit the inherent weaknesses of the internet... go after people expressing dissent.. Bruce Schneier, a security researcher and fellow at Harvard University's Berkman Klein Center for Internet & Society, said it is not surprising to see governments targeting databases of tech platforms. "We all assume it happens a lot. But this (prosecution) rarely comes up," Schneier said. Schneier said there have long been fears about Chinese or Russian insiders pressured to introduce vulnerabilities in major software platforms, and that companies may be ill-equipped to thwart those efforts. "The government of Russia versus Twitter is not a fair fight," he said. "It's hard to blame the tech companies." According to an indictment unsealed Wednesday, US citizen Ahmad Abouammo and Saudi national Ali Alzabarah were recruited in 2014-2015 to use their positions in Twitter to gain access to private information related to accounts of critics of Riyadh. Ahmed Almutairi, a marketing official with ties to the royal family, was a critical go-between who arranged contacts, prosecutors said. "Most employers do cursory background checks for the most obvious stuff such as criminal records or bankruptcy," he said. "None of them does any semblance of a background check on nation-state threats." "There's a case for collecting the bare minimum of data from users and allowing users to opt out" of certain kinds of data collection. Experts believe Artificial intelligence (AI) and 5G will introduce new cybersecurity concerns Kayla Matthews: Information Risk Management (IRM) recently published its 2019 Risky Business Report. the report also brings up how cybercriminals will use AI to carry out attacks, and clarifies that at least one such incident has occurred already. The report also notes that increased deployment of distributed network data centers would increase the size of the attack surface associated with the 5G network. Moreover, the presence of new and third-party applications once 5G arrives will increase the possibility of threats. A good sign is that 93% of the people who gave answers for the report said they had incident management plans in place. The study cautioned how the 7% of organizations that don’t should never assume they’re not targets for hackers. It brought up the example of a Missouri radio station that had its audio files compromised. These new rules were meant to protect our privacy. They don’t work Stephanie Hare: The GDPR was billed as the gold standard of data protection, offering the strongest data rights in the world. It has forced companies everywhere to modify their operating models, often at great cost. It inspired the state of California to pass a similar law and where California leads, the rest of the US often follows; there have been calls for a federal version of the GDPR. Before it came into effect last year, we faced an onslaught of emails from organisations asking if we were happy to continue a relationship most of us never knew we were in, or if we wanted them to delete our data and unsubscribe us from their data gathering. Most websites nudge us into clicking “I consent” by making it harder for us not to. Those that do offer an “I do not consent” option force us to navigate a complicated menu of privacy settings, all of which offer only the veneer of privacy. They know that no one has the time or inclination to do this for every website and they are betting that most of us will choose convenience over data protection. And so we click “I consent” to cookies and other web trackers that follow us around, creating an ever-growing digital self that is monitored, used, bought and sold. Under the GDPR, we gained the right to find out what data is held on us and to request its deletion. Again, this puts the onus on us, not the companies or the government, to do the work. Again, most of us don’t. Yet the GDPR could have solved this easily by making privacy the default and requiring us to opt in if we want to have our data collected. But this would hurt the ability of governments and companies to know about us and predict and manipulate our behaviour, as Shoshana Zuboff demonstrated powerfully in her book, The Age of Surveillance Capitalism. It grows harder to shrug this off when our own parliamentary joint committee on human rights (JCHR) warned last week that data is already being used to discriminate in housing and job ads online. It notes that it is “difficult, if not nearly impossible, for people – even tech experts – to find out who their data has been shared with, to stop it being shared or to delete inaccurate information about themselves”. And the JCHR says that it is “completely inappropriate to use consent when processing children’s data”, noting that children aged 13 and older are, under the current legal framework, considered old enough to consent to their data being used. The collection of biometric data, which occurs with facial recognition technology, is prohibited under the GDPR unless citizens give their explicit consent. Yet there are exceptions when it is in the public interest, such as fighting crime. This is how an exception becomes the rule. After all, who doesn’t want to fight crime? And since the security services and police can use it, many companies and property owners use it too. Amid signs of a growing backlash, the GDPR offers little help and even less consistency. In August, Sweden’s data regulator fined a high school for using facial recognition to register student attendance, but did not rule it illegal. France’s regulator ruled last month that it is illegal to use facial recognition in secondary schools, but it has not challenged the government’s plan to use facial recognition for a compulsory national digital identity programme. A UK court upheld the use of facial recognition by South Wales police this autumn, but the main data regulator, the Information Commissioner’s Office (ICO), warned last month that this should not be taken as a blanket permission for the police to use the technology. In Permanent Record, Edward Snowden explains that it was his close study of the US constitution, specifically the Bill of Rights, which persuaded him that Americans’ civil liberties were being violated by the US government’s mass surveillance activities, which were carried out with and without the active participation of US technology companies. And even though non-US citizens are not protected by the Bill of Rights, Snowden believed that the US government was violating their human rights. This is what drove him to blow the whistle in 2013. Last week, Snowden said that the GDPR is “a good first effort… but it’s not a solution”. He thinks that legislation should address the collection of our data, not its protection after it is collected. Huge Data Leak Doxes Members of Notorious Neo-Nazi Forum The IronMarch forum was one of the internet's worst places until it shut down in November 2017, a breeding ground and online meeting place for neo-nazi groups. This week, someone dropped a 1GB SQL database filled with information like usernames, IP addresses, private messages, public posts, and the emails people used to register accounts. In sum, it amounts to a major doxing of extremist hate group members from just a few years ago. The independent journalists at Bellingcat have put together a guide to searching through and interpreting the data—and have raised the possibility that several IronMarch members were active US military personnel. Facebook Reveals Yet Another Data Exposure Stop us if you've heard this one: Facebook said this week that it had granted around 100 developers access to more data than they should have, specifically related to Groups. At least 11 of those developers actually accessed that data, and Facebook has asked them to delete it. It's not as comprehensive or devastating as the Cambridge Analytica fiasco, but making your name and profile picture available to unauthorized developers clearly isn't ideal. At a certain point, it's easy to become numb to these missteps. Try not to; you and your data are worth more than that. Alphabet's Chronicle Is Fading Fast According to a report this week from Motherboard, Chronicle—a touted cybersecurity company within Google parent-company Alphabet—has been beset by staff departures and a "lack of clarity about Chronicle’s future." It's still a functioning operation, but seemingly diminished from the grand visions with which it launched almost two years ago. Major US hosting provider hit by a ransomware attack, impacts hundreds of thousands of customers. SmarterASP.NET claims to operate three ‘world-class’ data centers “delivering the reliability and flexibility necessary to support your mission-critical Internet operations.” However, the websites of its 440,000+ customers, as well as its own, went offline yesterday following the attack. “Your hosting account was under attack and hackers have encrypted all your data. We are now working with security experts to try to decrypt your data and also to make sure this would never happen again,” SmarterASP.NET said in a notice dated 11/11/2019. It’s unclear whether the firm has been able to decrypt the locked files, either by paying up or via a third-party key, or is restoring from backups. I Accidentally Uncovered a Nationwide Scam on Airbnb Allie Conti: Kris and Becky’s unit looked identical, save for a coffee table that was rectangular instead of round. Alex and Brittany had an additional armchair in their living room. Rachel and Pete’s place showed the most variation, but was still eerily similar to the rest of the bunch. When I finally plugged the original address of the place that I’d booked from Becky and Andrew into Google Street View, I felt like I was losing my mind. Becky and Andrew’s photos had no floor-to-ceiling windows, but the building on Street View at the same address clearly did. It seemed as if one person or group might have created numerous phony accounts to run a much larger Airbnb operation. If that proved true, it meant whoever ran the five accounts I’d located was controlling at least 94 properties in eight different cities. How many other people who had been scammed out of money like me? Feeling as if I was entering a Pynchonian nightmare, I sent a message to Airbnb alerting them to what increasingly seemed like an elaborate scam. The specific details of Airbnb nightmares aside, those of us who’ve fallen for a crappy or nonexistent listing may well wonder how in the world a company that’s been around for 11 years – one that’s due to go public and is estimated to be worth $35 billion – could fail to have the technologies and processes in place to weed out the fraudsters who find it so easy to take advantage of the platform. Well, it hasn’t had those abilities. Nor has it apparently prioritized putting them into place. But Airbnb, which plans to go public next year, seemed to have little interest in rooting out the rot from within its own platform. When I didn’t hear back from the company after a few days, and saw that the suspicious accounts were still active, I took it upon myself to figure out who exactly had ruined my vacation. Airbnb’s refund policy is based on a complicated rubric that doesn’t say guests need written evidence in order to obtain a full refund but does note the company has “final say in all disputes.” It’s easy enough to see how a scammer might exploit the policies as laid out. If a guest stays even one night in a rental, for example, it is difficult to obtain a full refund, according to Airbnb’s rules. If a host asks a guest to stay at a property that’s different from the one they rented, Airbnb advises the guest to request a cancellation if they’re “not okay with the switch.” In both cases, the rules favor a would-be scammer and place the onus on guests who have just parachuted into an unfamiliar locale with their luggage and have nowhere else to stay that night. The issue with leaving a scammer a bad review is that they will do the same to you and if you are a regular traveller, using AirBnB, that could be fatal to your ability to ever book anything nice ever again. Airbnb’s Community Standards state that no host should “provide inaccurate information,” but Airbnb does not rigorously police the request, according to the report. “In spite of the fact that Becky and Andrew received a verified ID, badge on their profile page, we have no way of knowing if they had any role in the properties other than having their photo taken,” the report stated. “This case also undermines one of the cornerstones of AirBnB’s business model, namely that the company’s ratings and identity verification system are a viable means by which travelers can vet their prospective hosts.” Of the six other accounts I'd connected to the scheme, five are still active weeks later. Only one has disappeared from the site. Update: 11/01/2019, the morning after the article was published, the FBI made contact about the claims made above. A week after that Airbnb chief executive Brian Chesky said that starting next month – on 15 December – the new Airbnb Guest Guarantee will ensure that guests who stay in listings that don’t meet Airbnb’s “accuracy standards” will either be rebooked into someplace that’s “just as nice” or, failing that, they’ll get a 100% refund. Airbnb says that it will verify each and every Airbnb listing and host by December 2020. Chesky didn’t say how. What we do know is that there are an awful lot of listings to scrub: according to one property management site, the platform currently has more than 650,000 hosts and over 6 million listings worldwide. Until that happens, make sure you take photographs of every little shard of beer bottle or dirty sheets and suggest to all your friends they do the same. UK: Facebook Won’t Ban Political Ads, Despite Controversy Phil Muncaster: Facebook will not remove political advertising from its platform ahead of the UK’s upcoming General Election, despite complaints that the ruling Conservative Party is already trying to influence users with misleading information. The social network has been under pressure to ban such advertising completely, after Twitter announced plans to do so earlier this month and the Mozilla Foundation and several rights groups signed an open letter urging it and Google to follow suit. The UK Electoral Commission, Information Commissioner’s Office (ICO) and the cross-party DCMS Select Committee have all called for urgent legislation to regulate political advertising. However, in an update late last week, Facebook argued that it was not in the business of censoring politicians. Although such ads will be pulled if they incite violence, share previously debunked content or spread misinformation about where, when and how to vote, they won’t be fact-checked like other content, explained head of UK public policy, Rebecca Stimson. After months of worry, BlueKeep vulnerability is now being exploited in mass-hacking campaign British researcher Kevin Beaumont raised the alarm this past weekend, after discovering that BlueKeep honeypots he had set up (to act as an early alarm that the vulnerability was being exploited) began to crash and reboot themselves. "I built a worldwide honeypot network to spot exploitation, which I called BluePot. Since then it has been remarkably quiet. I’ve been keeping in contact with people at threat intelligence and anti-malware companies and, essentially, the protection built has been eerily quiet. That isn’t to say exploitation hasn’t happened — of course, advanced threat actors would absolutely look to leverage this — but there’s been a complete lack of data to suggest any kind of widespread exploitation. That changed on October 23rd — one of the BlueKeep honeypots crashed and rebooted. Over the following weeks, all of the honeypots crashed and rebooted (except one in Australia) with increasing regularity." The good news is that the current attack appears to be flawed – crashing the computers it is attempting to infect rather than successfully installing the hackers’ code. News first broke of the BlueKeep vulnerability earlier this year, when Microsoft took the unusual step of issuing patches for old versions of Windows which it no longer officially supports, and publishing reminders on its blog for users to take action. At the time, it was reported that almost one million vulnerable PCs were connected to the internet, and potentially open to exploitation. The threat was considered serious enough that the likes of the NSA urged administrators and users to patch vulnerable legacy Windows computers. US: Licenses to Sell to Huawei Coming Soon The US government will soon partially relax its block on Huawei by allowing domestic tech firms to sell it components, according to the Commerce Department. Although Donald Trump in June signaled a softening of Washington’s hardline approach to the Chinese giant, when he said he’d allow some US firms to start supplying the company again, the all-important licenses have still not appeared. Commerce secretary Wilbur Ross said on Sunday that these “will be forthcoming very shortly,” according to Bloomberg. This will help US firms which have seen rival companies in Asia pick up lucrative contracts to sell Huawei various components, after Trump approved a decision to put the Shenzen firm and 70 affiliates on an “entity list.” The Commerce Department has already received 260 requests from US firms for licenses to circumvent Huawei’s blacklisting. US grounds Chinese-made drones as part of security review Adding to the growing chorus of concern about Chinese technology and potential espionage, the US Department of the Interior (DOI) announced on Wednesday that it’s grounding all Chinese-made drones or drones with Chinese-made parts as it reviews its drone program. According to a 2018 use report, the department owned 531 drones and had conducted 10,342 flights across 42 states and US territories – a 108% increase over 2017. That number apparently jumped yet again: according to the Wall Street Journal, the department now has more than 800 drones. A person familiar with the matter told the WSJ that all of the devices are either made in China or have Chinese parts. Secretary Bernhardt is reviewing the Department of the Interior’s drone program. Until this review is completed, the Secretary has directed that drones manufactured in China or made from Chinese components be grounded unless they are currently being utilized for emergency purposes, such as fighting wildfires, search and rescue, and dealing with natural disasters that may threaten life or property. As the WSJ reports, the DOI’s concerns include that the drones could be used to transmit data, including photography and video, of sensitive US infrastructure that may be the subject of future cyberattacks. This is the latest move the US government has taken to push away China, which security experts have pointed to as the most active nation-state when it comes to cyber-espionage against the US government, its corporations and its allies. What you need to know about the US CLOUD Act and the UK COPOA Act Dan Swingde: The UK and US governments have signed a new data sharing agreement that allows law enforcement officials quicker and easier access to data held by digital service providers in their counterpart countries. While this law doesn’t allow law enforcement to request data directly from companies on the other side of the Atlantic, data companies store in the cloud could be more easily accessed by foreign agencies. Brought about partly due to difficulties the FBI faced in forcing Microsoft to hand over data stored on servers in Ireland, the Clarifying Lawful Overseas Use of Data (CLOUD Act) Act was signed into law in 2018. Under the act, US law enforcement can compel US technology companies to hand over data stored on servers, whether the data is stored in the US or on foreign soil. It also allows bilateral agreements with foreign governments to request electronic data from the US in exchange for reciprocal arrangements. US Department of Justice push for encryption backdoors might run afoul of First Amendment By Cynthia Brumfield: Running counter to the now decades-long on-again and off-again pursuit by the Justice Department and law enforcement for a backdoor that would allow access to encrypted communications, Baker wrote that encryption “is one of the few mechanisms that the United States and its allies can use to more effectively protect themselves from existential cybersecurity threats, particularly from China. This is true even though encryption will impose costs on society, especially victims of other types of crime.” What triggered Baker to write the piece is the recently renewed push by the Justice Department under William Barr to raise again the idea that law enforcement is “going dark” thanks to the rise of end-to-end. Nikkei Hit in $29m BEC Scam Media giant Nikkei has become the latest firm to suffer a humiliating Business Email Compromise (BEC), after it admitted losing $29m to scammers following human error. The Tokyo-headquartered firm, which owns the Financial Times, revealed in a brief statement that an employee of its US subsidiary made the crucial mistake. “In late September 2019, an employee of Nikkei America, Inc. … transferred approximately $29m Nikkei America funds based on fraudulent instructions by a malicious third party who purported to be a management executive of Nikkei,” it noted. Global Registrar Web.com Suffers Major Breach US-based Web.com, and subsidiaries Network Solutions and Register.com, discovered on October 16 that they were hit by an attack late in August. “Our investigation indicates that account information for current and former Web.com customers may have been accessed,” the firm said in a statement. “This information includes contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder. We encrypt credit card numbers and no credit card data was compromised as a result of this incident.” “We are notifying affected customers through email and via our website, and as an additional precaution are requiring all users to reset their account passwords,” it added. NCR Barred Mint and QuickBooks from Banking Platform During Account Takeover Storm Brian Krebs: Banking industry giant NCR Corp. [NYSE: NCR] late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight, an online banking platform used by hundreds of financial institutions. That ban, which came in response to a series of bank account takeovers in which cybercriminals used aggregation sites to surveil and drain consumer accounts, has since been rescinded. But the incident raises fresh questions about the proper role of digital banking platforms in fighting password abuse. “The weird part is sometimes the attackers are getting the multi-factor challenge, and sometimes they aren’t,” said the source, who added that he suspected a breach at Mint and/QuickBooks because NCR had just blocked the two companies from accessing bank Web sites on its platform. NCR wouldn’t say what methods were used, but it seems clear the hacked accounts were tied to customers re-using their online banking passwords at other sites that got hacked. Please remember that if you bank online and choose weak or re-used passwords, there’s a decent chance your account could be compromised by cyber-thieves. Proton Technologies makes the code of ProtonMail iOS App open source Pierluigi Paganini: Recently the cybersecurity firm SEC Consult reviewed the source code of the ProtonMail iOS App and found seven low-risk vulnerabilities in the popular mobile mail client. “During the initial code review, SEC Consult found seven low-risk vulnerabilities in the reviewed source code and the mobile app.” reads the report published by SEC Consult. “Although issues with certificate validation have been identified within the encrypted communication between the mobile application and the backend system, the inner layer of end-to-end encryption could not be broken.” The company explained that developers are free to implement and build upon the methods that it has documented and published. The contribution of the cyber security community could help the company to solve real-world privacy challenges, making popular privacy-focused applications safer and more robust. Government Officials in More Than 20 Countries Targeted via WhatsApp Hacking Last May, WhatsApp revealed that hackers at NSO Group had been exploiting a vulnerability in its software that allowed them to compromise a phone simply by targeting it with a voice call that planted malware on the device capable of silently stealing a victim's messages. Now, in the same week when WhatsApp revealed that NSO Group had in fact targeted 1,400 of its users, Reuters reports that government officials in more than 20 countries have also been targeted via WhatsApp hacking. Reuters didn't name the countries, nor did it explicitly confirm that hacking was carried out by NSO or using the company's tools, but the newswire's story seems to suggest a link to the notorious hacker-for-hire firm. WhatsApp this week already confirmed that, based on an investigation carried out by the nonprofit cybersecurity research group Citizen Lab, NSO targeted more than 100 members of civil society, including journalists, human rights defenders, lawyers, and activists. If NSO has in fact aided in the compromise of government officials, that would represent yet more evidence that its tools and targeting haven't been limited to criminals and terrorists, as the company has long portrayed its work. Counter-Strike's Gaming Marketplace Disabled Over Rampant Fraud, Money Laundering The multiplayer game Counter-Strike: Global Offensive made a matter-of-fact announcement last Monday: It would no longer allow its "container keys"—digital items that players can buy and sell to open containers that contain valuable digital items in the game—to be sold or traded on the marketplace of Steam, the online platform run by the game's owner, Valve. That's because, according to the company, the large majority of those trades and sales were being carried out by criminals seeking to launder money through those keys, using them as an unregulated currency. "Worldwide fraud networks have recently shifted to using CS:GO keys to liquidate their gains," the company wrote in a statement. "At this point, nearly all key purchases that end up being traded or sold on the marketplace are believed to be fraud-sourced." Canada Credit Union Data Breach Bigger Than First Thought: Desjardins AFP: A massive data breach last year at Desjardins credit union has turned out to be bigger than originally thought, affecting all 4.2 million of its customers, Canada's largest banking co-operative said Friday. Quebec provincial police "informed us that this breach of personal information concerns a greater number than that which was communicated in June," Desjardins president and chief executive Guy Cormier told a news conference. "It is 4.2 million, so all of our individual members, who are affected," he said. Originally the number was announced as 2.9 million... |
Linking the world
Sharing is caring Archives
May 2024
Categories |