Cybersecurity News

Investigators said Monday that the hackers behind the global SolarWinds incident used computer code with links to known Russian spying tools, Reuters reports. 

It recently came to light that cyber criminals hacked SolarWinds to gain access to at least 18,000 government and private networks. It is believed that the cyberattackers’ goal was to collect intelligence. 

Now, researchers at Moscow-based cybersecurity company Kaspersky said the attackers deployed code that closely resembled malware associated with a Russian hacking group known as “Turla.” 

The way in which the SolarWinds hack was carried out had three notable similarities to a hacking tool called “Kazuar,” which is used by Turla, according to Costin Raiu, head of global research and analysis at Kaspersky.

Similarities were noted in how the hackers identified their victims and how they avoided being detected through the use of a specific formula to calculate periods with the viruses lying dormant. Additionally, both pieces of malware attempted to obscure their functions from security analysts.  

“One such finding could be dismissed,” Raiu said. “Two things definitely make me raise an eyebrow. Three is more than a coincidence.”

Connection likely

Raiu said the similarities point to the likelihood of a link between the two hacking tools, but they don’t necessarily imply that Turla played a role in the SolarWinds hack. He said there’s a possibility that the hackers behind the SolarWinds hack were merely inspired by Kazuar, or that they deliberately planted “false flags” in order to throw off investigators. 

Although Moscow has denied involvement in the hack, U.S. intelligence agencies have said that the hackers were “likely Russian in origin.” Security firms in the U.S. and other countries are continuing to investigate the incident in order to determine its full scope, and the Department of Justice has vowed to take serious action. 

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said last week. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

After sitting on the news for almost two weeks, the U.S. Department of Justice (DOJ) has confirmed that its email systems fell prey to the same band of cyberattackers linked to the global SolarWinds incident that has affected government and private sector businesses.

"On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment,” DOJ spokesman Marc Raimondi said in a statement.

Raimondi went on to say that the number of affected email boxes was limited to around 3 percent and that the agency has no indication that any of its classified systems were impacted.

“A major incident”

According to a joint statement issued by the recently organized Cyber Unified Coordination Group -- which includes the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence, and the National Security Agency -- the hackers are “likely Russian in origin” and “responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.”

The group’s investigation is ongoing, and it’s possible they could turn up additional government victims. In the group’s estimation, the hackers’ goal appeared to be collecting intelligence, rather than anything destructive.

Nonetheless, the attack on the DOJ was serious enough that it’s vowing to take serious action.

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

President Trump has signed an executive order banning several Chinese payment apps, including Alipay and WeChat Pay. 

A senior administration official said the order, which was signed late in the day on Tuesday, aims to keep American user data from being shared with the Chinese government. The Trump administration cited the possibility that the apps mentioned in the order could be used as a “mass tool for global oppression.”

"The United States must take aggressive action against those who develop or control Chinese connected software applications to protect our national security," the order said.

In total, eight Chinese apps are banned under the order: Tencent QQ, CamScanner, SHAREit, VMate, WPS Office, QQ Wallet, Alipay, and WeChat Pay. 

National security concerns

The U.S. government has concluded that the apps named in the order automatically capture “sensitive personally identifiable... and private information” from millions of users in the United States.” President Trump is concerned that the apps could be used to track and build dossiers of personal information on federal employees.

“At this time, action must be taken to address the threat posed by these Chinese connected software applications,” Trump wrote. 

The order will take effect after 45 days, which leaves open the possibility that President-elect Joe Biden will revoke it. The incoming presidential administration has yet to say how it plans to handle the order. 

The Trump administration has previously attempted to ban Chinese-based apps like TikTok and WeChat over national security concerns. Both attempts were unsuccessful. 

In 2019, the administration launched a trade war against Beijing and blacklisted Huawei Technologies, ZTE, and Chinese firms over national security concerns. The Federal Communications Commission (FCC) has designated Huawei and ZTE as national security threats, but both companies have denied that they share data with the Chinese government.

T-Mobile’s cybersecurity team is once again being put to the test. On Monday, the phone carrier announced that it experienced its fourth data breach in three years. 

The company did not say what portion of its nearly 100 million user accounts were at risk, but it did confirm that the data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax IDs, passwords, or PINs.

“Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account,” said Matt Staneff, the Chief Marketing Officer of T-Mobile USA.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”

What happened?

In a letter to customers, Staneff said T-Mobile’s cybersecurity team detected -- then shut down -- “malicious, unauthorized access” to “some” information related to T-Mobile accounts. Staneff qualified “some” as customer proprietary network information (CPNI). Collecting CPNI data is a permission given to phone companies by the Federal Communications Commission (FCC) and typically includes call information like the date, duration of the call, the phone number called, and the type of network a consumer subscribes to -- in short, the type of information that appears on a customer's phone bill.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers,” Staneff said.

T-Mobile users weren’t so lucky in March 2020 when a data breach allowed hackers to gain access to T-Mobile employee email accounts. That, in turn, opened up access to customers’ names, addresses, Social Security numbers, financial account information, phone numbers, billing and account information, and rate plans. 

T-Mobile offers to answer any questions

Staneff said the company is ready to answer additional questions if a customer wants further details. Customers can either contact the company online, ask questions at one of the company’s stores, or go through the customer service team at 1-800-937-8997. 

“We are sorry for any inconvenience this may cause you. We take the security of customer information seriously and, while we have a number of safeguards in place to protect customer information from unauthorized access, we will continue to work to further enhance security so we can mitigate this type of activity,” Staneff promised.

In a blog post on Thursday, Microsoft said it identified more than 40 organizations that were targeted by attackers using “sophisticated measures.”

Most victims of the attack (80 percent) were located in the U.S. The other targeted groups were spread across seven other countries: Canada, Mexico, Belgium, Spain, the U.K., Israel, and the United Arab Emirates. Microsoft said it has started working with the groups identified as victims. 

Those affected were running problematic versions of a third-party software platform called SolarWinds Orion. Hackers were able to escalate intrusions with additional, second-stage payloads. Microsoft said it discovered the intrusions using data from its Microsoft Defender antivirus product, which is built into all Windows installations.

"It's a certainty that the number and location of victims will keep growing," said Microsoft President Brad Smith. 

Microsoft targeted

Microsoft itself was among those targeted by hackers, but the company denied claims that its production systems were compromised or that the attack affected its business customers and end-users. 

"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed," the statement said.

Microsoft said the attack “represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them.” 

The company said the attack is being “actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft." Smith said it’s become clear that stronger international rules are needed to help prevent future attacks of this magnitude. 

“The defense of democracy requires that governments and technology companies work together in new and important ways – to share information, strengthen defenses and respond to attacks,” he wrote. “As we put 2020 behind us, the new year provides a new opportunity to move forward on all these fronts.” 

More than three million Google Chrome and Microsoft Edge users are believed to have installed extensions that contain malicious code, according to security firm Avast. 

Avast researchers said users who installed one of 28 third-party extensions containing hidden malicious JavaScript could be at risk of data theft and phishing attacks. 

The extensions in question are primarily designed to help users download multimedia content from social networks including Facebook, Instagram, Vimeo, or Spotify. But Avast said users could end up being redirected to a site where the attacker gets paid for user visits. In other cases, users could end up on phishing sites. 

“Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit,” the security firm explained.

Names of extensions

Avast said it found evidence that some of the malicious extensions had been active since at least December 2018. The researchers discovered the code hidden in the apps last month and reported their findings to Google and Microsoft. 

Both companies have said they are investigating the extensions. In the meantime, Avast has recommended that users disable or uninstall the extensions. 

Here is the list of Chrome extensions that contain malicious code, according to Avast: 

• Direct Message for Instagram

• DM for Instagram

• Invisible mode for Instagram Direct Message

• Downloader for Instagram

• App Phone for Instagram

• Stories for Instagram

• Universal Video Downloader

• Video Downloader for FaceBook™

• Vimeo™ Video Downloader

• Zoomer for Instagram and FaceBook

• VK UnBlock. Works fast.

• Odnoklassniki UnBlock. Works quickly.

• Upload photo to Instagram™

• Spotify Music Downloader

• The New York Times News

Avast said the following Edge extensions contain malicious code: 

• Direct Message for Instagram™

• Instagram Download Video & Image

• App Phone for Instagram

• Universal Video Downloader

• Video Downloader for FaceBook™

• Vimeo™ Video Downloader

• Volume Controller

• Stories for Instagram

• Upload photo to Instagram™

• Pretty Kitty, The Cat Pet

• Video Downloader for YouTube

• SoundCloud Music Downloader

• Instagram App with Direct Message DM

It looks like Facebook has unfriended Apple. On Wednesday, the social media platform took out full-page ads in the New York Times, Washington Post, and Wall Street Journal to denounce Apple’s upcoming iOS privacy changes. Facebook claims that it’s “standing up to Apple for small businesses everywhere.”

The barrel of ink Facebook is throwing Apple’s way is supposedly related to Apple’s iOS 14 privacy changes, which will require app developers like Facebook to “provide information about some of your app’s data collection practices on your product page.” The change will also require Facebook to “ask users for their permission to track them across apps and websites owned by other companies.”

Facebook comes out swinging

Facebook didn’t come right out and say it, but Apple’s disclosure shift will impact Facebook’s ad business, especially its ad network for developers and businesses if end users opt out of being tracked.

In the ad, Facebook maintains that Apple’s changes will be “devastating to small businesses” that rely on its ad network to leverage clicks and sales. The newspaper ads that Facebook took out ask small businesses to check out the platform’s “speak up for small business” site that features a series of business owners speaking out on Apple’s changes. Some of those comments are pretty shaming -- things like “This is going to affect me and my family,” and “We could lose our business.”

While Apple has yet to publicly respond to Facebook’s ads, the company did respond to similar Facebook claims in November, accusing Facebook of a “disregard for user privacy.” Apple is steadfast in its position that the upcoming privacy policies will be enforced when they go into effect in early 2021. The company said it is “committed to ensuring users can choose whether or not they allow an app to track them.”

Facebook’s call for support

Facebook said it hopes the Direct Marketing Association (DMA) will also set boundaries for Apple. 

“Apple controls an entire ecosystem from device to app store and apps, and uses this power to harm developers and consumers, as well as large platforms like Facebook,” a Facebook spokesperson said in a statement to CNBC. “

If Facebook’s game is to play two ends against the middle, maybe it should have first asked the DMA if it had its back. “We respect your privacy – and so do our members,” is the organization’s promise to consumers.” (Our Association of National Advertisers) ensures that consumers have choices about unwanted marketing offers. Our members honor consumers who don’t want to be contacted. You have choices about the type of marketing you receive.”

The Federal Trade Commission (FTC) turned up the heat on the social media big wigs on Monday. In a new mandate, the Commission will now require nine tech firms to disclose exactly how they collect and use data from their users.

Called on the carpet are the usual suspects -- Amazon, Facebook, and Twitter -- along with Google’s YouTube, TikTok’s owner ByteDance, Discord, Facebook’s WhatsApp, Reddit, and Snap. The companies have until January 28, 2021 to respond.

What is the FTC looking for?

Specifically, the FTC is leveraging Section 6(b) of the FTC Act, which gives it the authority to ask about how the companies “compile data concerning the privacy policies, procedures, and practices of [such] providers, including the method and manner in which they collect, use, store, and disclose information about users and their devices.”

Moving past the legalese, the FTC said that what it’s trying to ascertain is really more consumer-oriented. The questions it wants answered are:

• “How social media and video streaming services collect, use, track, estimate, or derive personal and demographic information;

• How they determine which ads and other content are shown to consumers;

• Whether they apply algorithms or data analytics to personal information;

• How they measure, promote, and research user engagement; and

• How their practices affect children and teens.”

The commissioners weigh in

After making their demands, the FTC commissioners said that the agency is seeking more information in the best interest of consumers.

“Never before has there been an industry capable of surveilling and monetizing so much of our personal lives. Social media and video streaming companies now follow users everywhere through apps on their always-present mobile devices,” Commissioners Rohit Chopra, Rebecca Kelly Slaughter, and Christine S. Wilson said in a statement. 

“This constant access allows these firms to monitor where users go, the people with whom they interact, and what they are doing. But to what end? Is this surveillance used to build psychological profiles of users? Predict their behavior? Manipulate experiences to generate ad sales? Promote content to capture attention or shape discourse? Too much about the industry remains dangerously opaque.”

Commissioner Noah Joshua Phillips was the dissenting vote among the commissioners, saying that the move was an “undisciplined foray into a wide variety of topics.” He called his peers out for omitting other companies engaged in business practices similar to the nine companies named. Phillips asked why Apple, Gab, GroupMe, LinkedIn, Parler, Rumble, Tumblr, and WeChat weren’t also named. He answered his own question rather snarkily. 

“The only plausible benefit to drawing the lines the Commission has is targeting a number of high profile companies and, by limiting the number to nine, avoiding the review process required under the Paperwork Reduction Act...which is not triggered if fewer than ten entities are subject to request.”

Russian hackers, believed to be working on behalf of the Kremlin, were apparently behind an attack into computer systems at the departments of the U.S. Treasury and Commerce that may have gone on for months before being detected. To make matters worse, people familiar with the matter feel that this situation just may be the tip of the iceberg.

According to U.S. officials and a report by National Public Radio (NPR), the Russian hackers broke into the email systems at those two government departments, and it was so consequential that it led to a National Security Council meeting at the White House on Saturday, one of the people familiar with the matter told Reuters.

It may not come to anyone’s surprise that Russia denies any involvement. The Russian foreign ministry took to Facebook to say the allegations were nothing more than another “unfounded attempt” by the American media to blame Russia for cyberattacks directed at U.S. agencies.”

Malicious actors

In the Department of Homeland Security’s response to the “known compromise,” it said that the hack involved SolarWinds Orion network monitoring products being exploited by malicious actors.

“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners -- in the public and private sectors -- to assess their exposure to this compromise and to secure their networks against any exploitation,” the DHS’ Cybersecurity and Infrastructure Security Agency said in a statement.

The Commerce Department and the National Security Council both confirmed the breach, but the agencies didn’t give any extra information about the extent of the hack or the measures that have been taken to secure the email accounts.

The private sector is also in danger

In addition to the government breaches, the hackers also wormed their way into the computer system bowels of private companies. 

More than 400 of the U.S. Fortune 500 companies use SolarWinds products, according to KrebsOnSecurity. That list includes all branches of the military, as well as all ten of the Top 10 communications companies, all five of the Top 5 accounting firms, and hundreds of colleges.

Security firm FireEye, which also happened to be hit by the hack, said cyber criminals inserted malware into SolarWinds updates that “(went) to significant lengths to observe and blend into normal network activity.” It also concluded that the breach is a “global campaign” and had confirmed intrusions in North America, Europe, Asia, and the Middle East. 

In a blog post late Sunday, Microsoft echoed FireEye’s assessment, saying that it believes the hack represents “nation-state activity at significant scale, aimed at both the government and private sector." The company also had words for its own users.

“We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations. As part of our ongoing threat research, we monitor for new indicators that could signal attacker activity,” the company said.

FireEye, one of the nation’s leading cybersecurity firms, has shared details of a hack targeting its “Red Team” tools, which it uses to test customers’ security. The firm said there is concern that the hackers could publicly release the tools they accessed or use them to carry out other attacks. 

In a blog post, FireEye CEO Kevin Mandia said the attack was “different from the tens of thousands of incidents we have responded to throughout the years.” 

“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus,” Mandia wrote. “They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.” 

Russia reportedly a suspect

FireEye said it doesn’t currently have evidence that any customer information was taken. 

Although the company didn’t say in its report who it believes is responsible for the attack, the Wall Street Journal reported that state-sponsored Russian hackers are a likely suspect. A source familiar with the matter told the Journal that Russia is currently being viewed by investigators as “the most likely culprit.” 

“Moscow’s foreign-intelligence service, known as the SVR and one of two Russian groups that hacked the Democratic National Committee ahead of the 2016 presidential election, is believed to be responsible, the person said,” according to the Journal. 

FireEye didn’t specify when the hack took place or when it became aware of it. The hack is currently being investigated by FireEye, as well as the FBI and industry partners like Microsoft.

Since becoming aware of the attack, FireEye said it’s developed hundreds of countermeasures that can detect or block the use of any of its stolen tools. The firm said it has integrated the measures into its own security products and shared them with “colleagues in the security community.” 

FireEye said it will “continue to share and refine any additional mitigations for the Red Team tools as they become available.” 

A Google researcher has demonstrated an Apple security vulnerability that could have allowed hackers to gain full access to a person’s iPhone. A cyberattacker could have exploited the flaw without having the user download malware or click on a suspicious link. To fall victim, a user would have only had to be within Wi-Fi range. 

Ian Beer -- a security researcher with Google’s Project Zero -- explained in a video this week that it was possible for a Raspberry Pi setup with off-the-shelf Wi-Fi adapters to steal photos from an iPhone in a different room in a matter of minutes. The same security vulnerability also allowed Beer to repeatedly reboot 26 iPhones at the same time. 

Apple fixed the vulnerability in May, but Beer said he spent six months looking into the issue.

"Imagine the sense of power an attacker with such a capability must feel," Beer said in a blog post. "As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target."

Full access to a device

Through his extensive research, Beer found a “wormable radio-proximity exploit” that allowed him to gain “complete control over any iPhone in my vicinity.” He said he was able to view phones, read emails, copy private messages, and monitor everything that happens on a device in real-time. 

“The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine,” he wrote. “Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.”

Beer said he hadn’t seen any evidence that the flaw was exploited prior to being fixed, but he said consumers can never be too careful when it comes to the security of their mobile devices. Issues like these are likely to surface again. 

"As things stand now in November 2020, I believe it's still quite possible for a motivated attacker with just one vulnerability to build a sufficiently powerful weird machine to completely, remotely compromise top-of-the-range iPhones," Beer said.

A hacker is reportedly selling access to email accounts belonging to “hundreds” of high level executives across the world. The accounts are going for $100 to $1500 each, depending on the value of each account. The targets include CEOs, vice presidents, and directors. 

The email and password combinations are being sold on a “closed-access underground forum for Russian-speaking hackers named Exploit.in,” according to ZDNet. The seller did not disclose how he obtained the login credentials, but he claimed to have hundreds of additional accounts to sell. 

ZDNet said a cybersecurity source has confirmed the validity of the stolen data. That source has begun the process of notifying all the affected companies. 

Scam potential 

If corporate executive login credentials fall into the wrong hands, both the executives and their workers could be affected. Cybercriminals can use compromised corporate email credentials for a variety of money-making schemes, KELA Product Manager Raveed Laeb explained to ZDNet. 

"Attackers can use them for internal communications as part of a 'CEO scam' - where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme,” Laeb said.

Stolen login credentials can also be “exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion," Laeb added.

To reduce the likelihood of such events unfolding, cybersecurity experts highly recommend using two-step verification or two-factor authentication for online accounts. Attackers won’t be able to do anything with stolen login details in cases where the user has set up 2SV or 2FA. 

Password manager NordPass has released its annual list of the worst passwords, and 2020’s list includes many of the same weak passwords as years prior. 

Consumers are still protecting their data with simple passwords that are infamous for being easy to crack, according to this year’s list. For example, NordPass found that millions of people are still using “password" and “123456” as passwords. The firm said the latter has been breached more than 23 million times. 

Many people may choose variations of the number bar because it’s quick and easy to type, but research has found that these frequently used passwords take less than a second to crack. Combinations of adjacent keys, such as “asdfghjkl” or “qwertyuiop,” have also been found to be highly vulnerable to cracking. 

Worst passwords of 2020

NordPass’s full list contains 200 of the most commonly used passwords, ranked by metrics such as how many times each password has been exposed and how long it would take an unauthorized party to crack it. 

Below are the top 20 worst passwords of the year. 

• 123456

• 123456789

• picture1

• password

• 12345678

• 111111

• 123123

• 12345

• 1234567890

• senha

• 1234567

• qwerty

• abc123

• Million2

• 000000

• 1234

• iloveyou

• aaron431

• password1

• qqww1122

Protecting your data

To keep sensitive data from being exposed, NordPass recommends making sure all passwords are unique and complex. This can be made easier through the use of a password manager or a third-party service like LastPass or Apple’s iCloud Keychain. 

NordPass also suggests enabling two-factor authentication when possible and deleting any old or inactive accounts. 

In all the hoopla regarding new vaccine test success from Moderna and Pfizer, Microsoft has uncovered a series of cyber attacks coming from Russia and North Korea targeted at research companies doing those tests.

In a blog post, Microsoft says the attacks targeted seven major pharmaceutical companies and researchers in Canada, France, India, and South Korea, and the U.S. Microsoft didn’t say which companies were targeted or what type of information may have actually been compromised or stolen, but officials said they had notified the organizations and offered help where the attacks were successful.

“Two global issues will help shape people’s memories of this time in history – COVID-19 and the increased use of the internet by malign actors to disrupt society. It’s disturbing that these challenges have now merged as cyberattacks are being used to disrupt health care organizations fighting the pandemic,” wrote Microsoft’s Tom Burt, Corporate Vice President, Customer Security & Trust.

“We think these attacks are unconscionable and should be condemned by all civilized society. Today, we’re sharing more about the attacks we’ve seen most recently and are urging governments to act.”

The attacks and the protection

There are actually three key players in the attacks: “Strontium,” an actor originating from Russia, and two actors originating from North Korea that Microsoft has dubbed “Zinc” and “Cerium.”

Strontium uses “password spray” and brute force login attempts to steal personal login credentials. The software it uses conducts millions of rapid attempts to crack a third-party’s personal data. Zinc’s game is to use spear-phishing lures for credential theft by sending messages with fabricated job descriptions pretending to be recruiters. And Cerium? The angle it works is spear-phishing with email lures using COVID-19 themes while masquerading as World Health Organization representatives. 

Luckily, Burt says the “majority” of the attacks have been blocked by security protections built into the company’s products. The company is continuing to make its threat notification service, “AccountGuard,” available for free to health care and human rights organizations working on COVID-19. 

The company says that 195 health care-related groups have enrolled in the service, and it now protects 1.7 million email accounts that those organizations serve.

A Microsoft executive is urging users to move away from phone-based multi-factor authentication (MFA) mechanisms and instead embrace newer security technologies, like app-based authenticators and security keys.

In a blog post, Alex Weinert, Director of Identity Security at Microsoft, said app-based two-factor authentication provides greater security.

Weinert said telephone-based multi-factor authentication (MFA) solutions -- like one-time codes sent via SMS and voice calls -- are “based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.” 

“That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages,” he said. “Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.” 

MFA is ‘essential’

In 2019, Weinert penned a blog post in which he said that internal Microsoft statistics showed that users who enabled MFA blocked around 99.9 percent of automated attacks against their Microsoft accounts. 

In a follow up blog post earlier this week, he stressed that MFA itself is essential -- but the way people use it should change. If users have to choose between multiple MFA mechanisms, he said they should avoid phone-based MFA which can be intercepted by attackers. 

Weinert said a good place to start is by using Microsoft’s Authenticator MFA app. For even greater security, hardware security keys can be used. 

The Federal Trade Commission (FTC) announced a settlement with video conferencing platform Zoom on Monday that will require the company to implement a sturdier information security program. The FTC alleged that Zoom engaged in a series of “deceptive and unfair practices” that essentially undermined the security of its users.

The FTC’s complaint dates back to 2016 when the agency alleged that Zoom deceived users by falsely promising that it offered “end-to-end, 256-bit encryption” to secure users’ communications. Regulators said the falsehood created the possibility that other people (including Zoom) could read a user’s content. 

In the FTC’s eyes, Zoom also erroneously told users who wanted to store recorded meetings on the company’s cloud storage that those meetings were encrypted immediately after their meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.

Enter COVID-19

The matter was complicated further during the COVID-19 pandemic. Zoom’s reach skyrocketed from 10 million in December 2019 to 300 million in April 2020, putting even more users’ privacy at risk. 

Earlier this summer, the company attempted to soften the FTC’s angst by improving its security for all users versus only its paying subscribers, but those actions seemingly weren’t enough to appease regulators.

“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

What changes Zoom users will see

The FTC’s laundry list of changes that Zoom users are supposed to see thanks to the settlement include:

• The annual assessment and documentation of any potential internal and external security risks and develop ways to safeguard against such risks;

• Implementation of a vulnerability management program; and

• Deployment of safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and taking steps to prevent the use of known compromised user credentials.

The FTC didn’t stop there, though. On top of those three key changes, Zoom agreed to review any software updates for potential security flaws and must ensure that software updates will not hamper third-party security features. The company has also agreed not misrepresent to the public its collection and use of personal information, and it will have an assessment of security program made by an independent third party every other year.

The hotel reservation firm Prestige Software has exposed the data of millions of guests worldwide, Website Planet reports. 

Prestige Software -- a platform that enables hotels to automate their availability on booking websites like Expedia and Booking.com -- reportedly stored files dating as far back as 2013 without any protection in place. 

Exposed information included names, credit card details, ID numbers, and reservation details. In some cases, logs contained personally identifiable information for multiple members included in a single booking.

No evidence of third party access 

At this time, it’s not known how long the trove of data was left unsecured or if any third parties accessed it. If the data was found by a cybercriminal, the party could steal identities, carry out phishing scams, or even hijack a reservation.

“Millions of people were potentially exposed in the data breach, from all over the world. We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” said researcher Mark Holden. “So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”

Website Planet said the firm quickly fixed the vulnerability after being alerted to the issue. 

Holden said that due to the sheer number of hotel and travel websites involved in the breach, it’s “impossible to help anyone already exposed if somebody found the data before us.” Clients of Prestige Software include Booking.com, Expedia, Hotels.com, and many others. 

“If you’re a customer of any of the websites listed in this report and are concerned about how this leak might impact you, contact the company directly to determine what steps it’s taking to protect your data,” Website Planet said.

The U.S. government has taken control of $1 billion in bitcoin from the now-defunct online black market Silk Road. The capture represents the largest cryptocurrency seizure to date.

Silk Road ranks as the most infamous online criminal marketplace of its day, but the Department of Justice (DOJ) brought it to its knees in 2015 when it successfully prosecuted its founder, Ross Ulbricht, on seven counts that included unlawfully facilitating the sale of illegal drugs and money laundering. 

By the time Silk Road was brought to justice, it had reportedly generated sales revenue totaling over 9.5 million bitcoins. Commissions from these sales totalled over 600,000 bitcoins, which presumably went right into Ulbricht’s pockets.

Follow the money

This is where the story gets interesting. Before Ulbricht was sent off to prison, he sheltered a billion in bitcoins in a digital wallet and did his best to tuck away the wallet where it would be hard to find.

Someone referred to as “Individual X” supposedly hacked the Silk Road’s payments system some time in either 2012 or 2013. The DOJ says that Ulbricht “threatened Individual X for the return of the cryptocurrency,” but the mysterious hacker refused. 

Enter the DOJ and the Washington DC Cyber Crimes Unit. The group -- which is tasked with virtual currency transactions -- used a third-party bitcoin tracing company to analyze bitcoin transactions carried out by Silk Road and was able to identify 54 previously undetected transactions executed by the platform. An analysis showed that all of those transactions appeared to represent all proceeds of unlawful activity stolen from Silk Road.

The DOJ continued its hunt, and it cornered Individual X on November 3, 2020. The anonymous hacker agreed to hand over the stolen bitcoin and transfer it to the government's hands. The DOJ is mum on whether Individual X was arrested, cut a plea bargain, or even how their cooperation was attained.

“Criminal proceeds should not remain in the hands of the thieves,” IRS-CI Special Agent in Charge Kelly R. Jackson said in a statement. “The Washington DC Cyber Crimes Unit is uniquely specialized in tracing virtual currency transactions and we will continue to hone our skills to combat illegal activity.”

GrowDiaries, an online community of marijuana growers, has suffered a major data breach. 

Security researcher Bob Diachenko reported that GrowDiaries left two of its Kibana apps -- an open-source analytics and visualization platform normally used by a company’s development and IT staff -- exposed online without administrative passwords since September 22, 2020. 

One of the unsecured Kibana apps led to the exposure of sensitive information belonging to 1.4 million users of the site. Information exposed included passwords, email addresses, and IP addresses. The other database exposed user articles posted on the GrowDiaries site, as well as users’ account passwords. 

Diachenko said he discovered the unprotected database on October 10. 

“It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords,” he wrote. “The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.” 

GrowDiaries secured its server less than a week after Diachenko notified site administrators of the issue. Although the site has been secured, GrowDiaries users are still urged to change their passwords just in case their old password was exposed. 

Diachenko said he couldn’t say for sure if any other third-parties accessed the data while it was unsecured, but it “seems likely.” 

The Federal Bureau of Investigation (FBI) has warned that hospital information systems have been hit by coordinated ransomware attacks, which could possibly lead to disruptions in patient care. 

In a joint advisory on Wednesday, the FBI and two other federal agencies said malicious groups have levied several data-scrambling extortion attempts against hospitals and healthcare providers over the past few weeks. 

Officials said they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The attacks could lead to “data theft and disruption of healthcare services,” the agencies said. 

Attack on health care system

The warning coincides with an uptick in the number of COVID-19 infections nationwide. On Monday, an analysis of data from Johns Hopkins University showed 69,967 new COVID-19 cases in the U.S. In just the last week, the seven-day average of new cases has risen 20 percent.

Officials said the targeted ransomware attacks will likely create issues that will be “particularly challenging for organizations within the COVID-19 pandemic.” Institutions are urged to take precautions to protect their networks. Recommended precautions include regularly updating software, backing up data, and monitoring who is accessing their systems. 

In September, cyber attackers launched a highly coordinated ransomware attack on a major U.S. hospital chain. The incident forced some hospital employees to revert to using pen and paper to file patient information. 

In the most recent wave of attacks on hospital networks, malicious groups are using Ryuk ransomware -- software used to encrypt and secure files. The attackers are using the Trickbot network of infected computers to gain access to data, disrupt health care services and demand money from health care facilities in order to decrypt the files. 

Google has pulled three popular apps from the Google Play Store after finding that the apps violated its policies regarding the collection of children’s data. 

The apps that were removed were Princess Salon, Number Coloring, and Cats & Cosplay. Collectively, the apps had amassed more than 20 million downloads prior to being removed. 

The International Digital Accountability Council (IDAC) determined that the apps -- which were all aimed at younger users -- violated "broader Google Play policies around data collection.” The watchdog group notified Google of its findings, and Google swiftly removed the apps. 

“The practices we observed in our research raised serious concerns about data practices within these apps,” IDAC president Quentin Palfrey said in a statement. “We applaud Google for taking steps to enforce on these apps and the third-party data practices within these apps.”

Data-privacy violations

The researchers said the apps were built upon problematic third-party frameworks, which collected Android ID and Android Advertising ID data. The three software development kits (SDKs) used in the apps -- Unity, Appodeal, and Umeng -- made it possible for them to violate Google’s privacy protection regulations. 

Palfrey said the IDAC found that certain versions of the Unity SDK were "collecting both the user’s AAID [unique user ID for advertising] and Android ID simultaneously, which may have allowed Unity to bypass privacy controls and track users over time and across devices."

“Google took corrective action in response, after its own investigation,” the Council said. 

The IDAC didn’t provide an estimate of how much data, if any, was taken as a result of the issues. No violations were discovered in iOS versions of the three apps, according to the group. 

“These apps broke rules barring the uses of developer kits that aren’t approved for ‘child-directed services,’” Google said in a statement. 

Google added that it’s in the process of establishing procedures to detect these kinds of violations before they end up on the Google Play store. The company has said that it’s working with privacy organizations to prevent developers from violating the rules.

Critics argue that Google’s size and power creates a number of problems. The removal of the apps comes less than a week after the U.S. Department of Justice announced that it is suing Google for allegedly abusing its industry dominance to stifle competition in online search and search advertising. 

During the coronavirus (COVID-19) pandemic, more consumers than ever are using online banking. Yet a new survey shows banks in the U.S. and Canada are struggling to implement practices that combat online identity fraud and money laundering, without turning off their customers.

In an age of digital banking, the survey found that just over half of North American banks are still requiring customers to prove their identities by visiting branches or posting documents when opening digital accounts. 

The survey found the same situation in 25 percent of mortgages or home loans and 15 percent of credit cards opened online.

Rethinking their approach

"The pandemic has forced industries to fully embrace digital,” said Liz Lasher, vice president of portfolio marketing for Fraud at FICO, which commissioned the survey. “We now are seeing North American banks that relied on face-to-face interactions to prove customers' identities rethinking how to adapt to the digital-first economy."  

Andrew, of Scottsdale, Ariz., recently had this experience. In a post on ConsumerAffairs, Andrew told us that a fraud alert resulted in his Chase bank account being locked.

“I simply called their security department and was told it was closed out due to bank identity and that I would have to go into a branch and show 2 forms of ID's,” Andrew wrote in his post. 

Banks everywhere have instituted new procedures when fraud is suspected, a necessary measure considering the exponential growth of the crime. But Lasher says all banks should consider making the process as user-friendly as possible because it’s good for business in the long run.

"Today's consumers expect a seamless and secure online experience, and banks need to be equipped to meet those expectations,” she said. “Engaging valuable new customers, then having them abandon applications when identity proofing becomes expensive and difficult."

Slow to embrace digital verification

The study found that only 16 percent of North American banks use the type of fully integrated, real-time digital capture and validation tools that FICO says are required for consumers to securely open a financial account online. 

Some banks have adopted some form of digital verification, but the study found that in most cases, the experience “still raises barriers,” with customers expected to use email or visit an "identity portal" to verify their identities.

The authors suggest that banks create a “frictionless process” that will meet consumers' expectations. Failing to do so could lead to a loss of business.

According to FICO's recent Consumer Digital Banking study, 75 percent of customers said they would open a bank account online, but 23 percent of them would give up and go somewhere else if they faced a difficult or inconvenient identity verification process.

Three-quarters of the banks in the study told FICO they plan to invest in an identity management platform within the next three years.  

More than 100 Dickey’s Barbeque Restaurants across the U.S. were involved in a data breach that spanned more than a year. 

KrebsOnSecurity reported that one of the dark web’s most popular stores for selling stolen credit card information was offering card numbers belonging to customers of Dickey’s Barbeque Restaurants. 

Around three million new credit card records were being offered this week on a dark web carding site called “Jokers Stash.” Security researchers at Gemini Advisory initially discovered the stolen credit card numbers for sale on the dark web marketplace. 

Long-running breach

Gemini said its analysis found that 156 of the eatery’s 469 locations across 30 states were compromised. The largest percentage of stolen numbers were from California and Arizona. The data was accessed between July 2019 and August 2020, the researchers said. 

“Given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations,” researchers said in a blog post.

Report suspicious charges

In a statement, the barbeque franchise said it’s aware of the safety incident and that it’s currently investigating its scope.

“We obtained a report indicating [that a] cost card safety incident might have occurred. We’re taking this incident very significantly and instantly initiated our response protocol and an investigation is underway. We’re presently centered on figuring out the places affected and time frames concerned,” Dickey’s said.

Consumers who have visited Dickey’s Barbeque in the past year are urged to monitor their bank accounts and credit card transactions and report any fraudulent or suspicious charges to their financial institution as soon as possible. 

Barnes & Noble has disclosed that it was recently the victim of a cybersecurity attack, leading to "unauthorized and unlawful access to certain Barnes & Noble corporate systems."

In emails sent to customers, the bookseller said the personal data of some customers may have been accessed during the breach. The potentially exposed information includes customer email addresses, billing and shipping addresses, telephone numbers, and transaction histories. 

"It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems,” Barnes & Noble said in the email. "We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility.”

Barnes & Noble stressed that no financial data -- which it stores "encrypted and tokenized" for security purposes -- was taken or available to the hackers. However, the company warned that leaked email addresses could be used to carry out phishing campaigns. 

Nook platform affected

Nook Digital, the company’s eBook and e-Reader platform, was also affected by the breach. Since Sunday, Nook owners have been unable to download books to their devices. The bookstore giant acknowledged the issue in a tweet, telling customers that it was investigating the cause and that service restoration was taking longer than expected.

“We are continuing to experience a systems failure that is interrupting NOOK content. We are working urgently to get all NOOK services back to full operation. Unfortunately it has taken longer than anticipated, and we sincerely apologize for this inconvenience and frustration,” the company said.

Barnes & Noble assured customers that there was “no compromise of customer payment details” and said it will let users know when service has been restored.

“We expect NOOK to be fully operational shortly and will post an update once systems are restored,” the company wrote in an October 14 tweet. 

A band of Chinese digital wrongdoers have apparently ripped off Facebook users to the tune of $4 million. At Virus Bulletin’s virtual VB2020 conference, Facebook’s malware researchers and security analysts revealed that malware was found abusing Facebook's ad platform to run malicious ad campaigns that spammed users with phony celebrity endorsements and enticed them to make fraudulent purchases. 

Facebook’s security team coined the malware ‘SilentFade’ – ‘Silently running Facebook ADs with Exploits’ -- based on how the attacks were carried out. The malware’s M.O. was to infect users with the malware, then commandeer the users' browsers and make off with browser cookies and passwords.

Once they had that, the bandits searched for user accounts that had payment methods associated with their profile. At that point, SilentFade was off to the races, buying Facebook ads for things like keto pills and weight loss products with the victim's funds. 

All told, Facebook said the group was able to fleece more than $4 million from infected users. To make things whole, Facebook reimbursed the $4 million back to the victims for unauthorized ads purchased using their ads accounts.

Not exclusive to Facebook

Satnam Narang -- a staff research engineer at Tenable who has uncovered similar scams on other social media platforms like TikTok, Instagram, and Twitter -- noted that it’s a well-conceived, “cunning” scam designed to take advantage of Facebook’s bill