Follow us:
  1. Home
  2. News
  3. Tech News
  4. Cybersecurity News

Cybersecurity News

Recent Articles

Sort by:

SolarWinds hack bears similarities to tool used by Russian hackers

Researchers say the code deployed was similar to one used by a known Russian hacking group

Investigators said Monday that the hackers behind the global SolarWinds incident used computer code with links to known Russian spying tools, Reuters reports. 

It recently came to light that cyber criminals hacked SolarWinds to gain access to at least 18,000 government and private networks. It is believed that the cyberattackers’ goal was to collect intelligence. 

Now, researchers at Moscow-based cybersecurity company Kaspersky said the attackers deployed code that closely resembled malware associated with a Russian hacking group known as “Turla.” 

The way in which the SolarWinds hack was carried out had three notable similarities to a hacking tool called “Kazuar,” which is used by Turla, according to Costin Raiu, head of global research and analysis at Kaspersky.

Similarities were noted in how the hackers identified their victims and how they avoided being detected through the use of a specific formula to calculate periods with the viruses lying dormant. Additionally, both pieces of malware attempted to obscure their functions from security analysts.  

“One such finding could be dismissed,” Raiu said. “Two things definitely make me raise an eyebrow. Three is more than a coincidence.”

Connection likely

Raiu said the similarities point to the likelihood of a link between the two hacking tools, but they don’t necessarily imply that Turla played a role in the SolarWinds hack. He said there’s a possibility that the hackers behind the SolarWinds hack were merely inspired by Kazuar, or that they deliberately planted “false flags” in order to throw off investigators. 

Although Moscow has denied involvement in the hack, U.S. intelligence agencies have said that the hackers were “likely Russian in origin.” Security firms in the U.S. and other countries are continuing to investigate the incident in order to determine its full scope, and the Department of Justice has vowed to take serious action. 

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said last week. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

Investigators said Monday that the hackers behind the global SolarWinds incident used computer code with links to known Russian spying tools, Reuters repor...
Read lessRead more

Justice Department confirms that it was part of the SolarWinds hack

The agency calls the attack a major incident and vows to take serious action

After sitting on the news for almost two weeks, the U.S. Department of Justice (DOJ) has confirmed that its email systems fell prey to the same band of cyberattackers linked to the global SolarWinds incident that has affected government and private sector businesses.

"On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment,” DOJ spokesman Marc Raimondi said in a statement.

Raimondi went on to say that the number of affected email boxes was limited to around 3 percent and that the agency has no indication that any of its classified systems were impacted.

“A major incident”

According to a joint statement issued by the recently organized Cyber Unified Coordination Group -- which includes the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence, and the National Security Agency -- the hackers are “likely Russian in origin” and “responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.”

The group’s investigation is ongoing, and it’s possible they could turn up additional government victims. In the group’s estimation, the hackers’ goal appeared to be collecting intelligence, rather than anything destructive.

Nonetheless, the attack on the DOJ was serious enough that it’s vowing to take serious action.

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

After sitting on the news for almost two weeks, the U.S. Department of Justice (DOJ) has confirmed that its email systems fell prey to the same band of cyb...
Read lessRead more

President Trump bans WeChat Pay and several other Chinese apps

The Trump administration says the apps raise national security concerns

President Trump has signed an executive order banning several Chinese payment apps, including Alipay and WeChat Pay. 

A senior administration official said the order, which was signed late in the day on Tuesday, aims to keep American user data from being shared with the Chinese government. The Trump administration cited the possibility that the apps mentioned in the order could be used as a “mass tool for global oppression.”

"The United States must take aggressive action against those who develop or control Chinese connected software applications to protect our national security," the order said.

In total, eight Chinese apps are banned under the order: Tencent QQ, CamScanner, SHAREit, VMate, WPS Office, QQ Wallet, Alipay, and WeChat Pay. 

National security concerns

The U.S. government has concluded that the apps named in the order automatically capture “sensitive personally identifiable... and private information” from millions of users in the United States.” President Trump is concerned that the apps could be used to track and build dossiers of personal information on federal employees.

“At this time, action must be taken to address the threat posed by these Chinese connected software applications,” Trump wrote. 

The order will take effect after 45 days, which leaves open the possibility that President-elect Joe Biden will revoke it. The incoming presidential administration has yet to say how it plans to handle the order. 

The Trump administration has previously attempted to ban Chinese-based apps like TikTok and WeChat over national security concerns. Both attempts were unsuccessful. 

In 2019, the administration launched a trade war against Beijing and blacklisted Huawei Technologies, ZTE, and Chinese firms over national security concerns. The Federal Communications Commission (FCC) has designated Huawei and ZTE as national security threats, but both companies have denied that they share data with the Chinese government.

President Trump has signed an executive order banning several Chinese payment apps, including Alipay and WeChat Pay. A senior administration official s...
Read lessRead more

T-Mobile admits to its fourth data breach in three years

Customers were much luckier this time than they have been in the past

T-Mobile’s cybersecurity team is once again being put to the test. On Monday, the phone carrier announced that it experienced its fourth data breach in three years. 

The company did not say what portion of its nearly 100 million user accounts were at risk, but it did confirm that the data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax IDs, passwords, or PINs.

“Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account,” said Matt Staneff, the Chief Marketing Officer of T-Mobile USA.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”

What happened?

In a letter to customers, Staneff said T-Mobile’s cybersecurity team detected -- then shut down -- “malicious, unauthorized access” to “some” information related to T-Mobile accounts. Staneff qualified “some” as customer proprietary network information (CPNI). Collecting CPNI data is a permission given to phone companies by the Federal Communications Commission (FCC) and typically includes call information like the date, duration of the call, the phone number called, and the type of network a consumer subscribes to -- in short, the type of information that appears on a customer's phone bill.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers,” Staneff said.

T-Mobile users weren’t so lucky in March 2020 when a data breach allowed hackers to gain access to T-Mobile employee email accounts. That, in turn, opened up access to customers’ names, addresses, Social Security numbers, financial account information, phone numbers, billing and account information, and rate plans. 

T-Mobile offers to answer any questions

Staneff said the company is ready to answer additional questions if a customer wants further details. Customers can either contact the company online, ask questions at one of the company’s stores, or go through the customer service team at 1-800-937-8997. 

“We are sorry for any inconvenience this may cause you. We take the security of customer information seriously and, while we have a number of safeguards in place to protect customer information from unauthorized access, we will continue to work to further enhance security so we can mitigate this type of activity,” Staneff promised.

T-Mobile’s cybersecurity team is once again being put to the test. On Monday, the phone carrier announced that it experienced its fourth data breach in thr...
Read lessRead more

Microsoft says at least 40 organizations were targeted in massive cyber breach

The company says the list of victims is likely to keep growing

In a blog post on Thursday, Microsoft said it identified more than 40 organizations that were targeted by attackers using “sophisticated measures.”

Most victims of the attack (80 percent) were located in the U.S. The other targeted groups were spread across seven other countries: Canada, Mexico, Belgium, Spain, the U.K., Israel, and the United Arab Emirates. Microsoft said it has started working with the groups identified as victims. 

Those affected were running problematic versions of a third-party software platform called SolarWinds Orion. Hackers were able to escalate intrusions with additional, second-stage payloads. Microsoft said it discovered the intrusions using data from its Microsoft Defender antivirus product, which is built into all Windows installations.

"It's a certainty that the number and location of victims will keep growing," said Microsoft President Brad Smith. 

Microsoft targeted

Microsoft itself was among those targeted by hackers, but the company denied claims that its production systems were compromised or that the attack affected its business customers and end-users. 

"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed," the statement said.

Microsoft said the attack “represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them.” 

The company said the attack is being “actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft." Smith said it’s become clear that stronger international rules are needed to help prevent future attacks of this magnitude. 

“The defense of democracy requires that governments and technology companies work together in new and important ways – to share information, strengthen defenses and respond to attacks,” he wrote. “As we put 2020 behind us, the new year provides a new opportunity to move forward on all these fronts.” 

In a blog post on Thursday, Microsoft said it identified more than 40 organizations that were targeted by attackers using “sophisticated measures.”Most...
Read lessRead more

Security researchers find malicious code in 28 Chrome and Edge extensions

Over three million users are advised to disable or uninstall the extensions right away

More than three million Google Chrome and Microsoft Edge users are believed to have installed extensions that contain malicious code, according to security firm Avast. 

Avast researchers said users who installed one of 28 third-party extensions containing hidden malicious JavaScript could be at risk of data theft and phishing attacks. 

The extensions in question are primarily designed to help users download multimedia content from social networks including Facebook, Instagram, Vimeo, or Spotify. But Avast said users could end up being redirected to a site where the attacker gets paid for user visits. In other cases, users could end up on phishing sites. 

“Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit,” the security firm explained.

Names of extensions

Avast said it found evidence that some of the malicious extensions had been active since at least December 2018. The researchers discovered the code hidden in the apps last month and reported their findings to Google and Microsoft. 

Both companies have said they are investigating the extensions. In the meantime, Avast has recommended that users disable or uninstall the extensions. 

Here is the list of Chrome extensions that contain malicious code, according to Avast: 

  • Direct Message for Instagram

  • DM for Instagram

  • Invisible mode for Instagram Direct Message

  • Downloader for Instagram

  • App Phone for Instagram

  • Stories for Instagram

  • Universal Video Downloader

  • Video Downloader for FaceBook™

  • Vimeo™ Video Downloader

  • Zoomer for Instagram and FaceBook

  • VK UnBlock. Works fast.

  • Odnoklassniki UnBlock. Works quickly.

  • Upload photo to Instagram™

  • Spotify Music Downloader

  • The New York Times News

Avast said the following Edge extensions contain malicious code: 

  • Direct Message for Instagram™

  • Instagram Download Video & Image

  • App Phone for Instagram

  • Universal Video Downloader

  • Video Downloader for FaceBook™

  • Vimeo™ Video Downloader

  • Volume Controller

  • Stories for Instagram

  • Upload photo to Instagram™

  • Pretty Kitty, The Cat Pet

  • Video Downloader for YouTube

  • SoundCloud Music Downloader

  • Instagram App with Direct Message DM

More than three million Google Chrome and Microsoft Edge users are believed to have installed extensions that contain malicious code, according to security...
Read lessRead more

Facebook takes out full-page ads to slam Apple’s upcoming privacy changes

The social media giant claims Apple’s update threatens millions of small businesses

It looks like Facebook has unfriended Apple. On Wednesday, the social media platform took out full-page ads in the New York Times, Washington Post, and Wall Street Journal to denounce Apple’s upcoming iOS privacy changes. Facebook claims that it’s “standing up to Apple for small businesses everywhere.”

The barrel of ink Facebook is throwing Apple’s way is supposedly related to Apple’s iOS 14 privacy changes, which will require app developers like Facebook to “provide information about some of your app’s data collection practices on your product page.” The change will also require Facebook to “ask users for their permission to track them across apps and websites owned by other companies.”

Facebook comes out swinging

Facebook didn’t come right out and say it, but Apple’s disclosure shift will impact Facebook’s ad business, especially its ad network for developers and businesses if end users opt out of being tracked.

In the ad, Facebook maintains that Apple’s changes will be “devastating to small businesses” that rely on its ad network to leverage clicks and sales. The newspaper ads that Facebook took out ask small businesses to check out the platform’s “speak up for small business” site that features a series of business owners speaking out on Apple’s changes. Some of those comments are pretty shaming -- things like “This is going to affect me and my family,” and “We could lose our business.”

While Apple has yet to publicly respond to Facebook’s ads, the company did respond to similar Facebook claims in November, accusing Facebook of a “disregard for user privacy.” Apple is steadfast in its position that the upcoming privacy policies will be enforced when they go into effect in early 2021. The company said it is “committed to ensuring users can choose whether or not they allow an app to track them.”

Facebook’s call for support

Facebook said it hopes the Direct Marketing Association (DMA) will also set boundaries for Apple. 

“Apple controls an entire ecosystem from device to app store and apps, and uses this power to harm developers and consumers, as well as large platforms like Facebook,” a Facebook spokesperson said in a statement to CNBC. “

If Facebook’s game is to play two ends against the middle, maybe it should have first asked the DMA if it had its back. “We respect your privacy – and so do our members,” is the organization’s promise to consumers.” (Our Association of National Advertisers) ensures that consumers have choices about unwanted marketing offers. Our members honor consumers who don’t want to be contacted. You have choices about the type of marketing you receive.”

It looks like Facebook has unfriended Apple. On Wednesday, the social media platform took out full-page ads in the New York Times, Washington Post, and Wal...
Read lessRead more

FTC demands that social media giants come clean about user data collection

One commissioner is crying foul because the agency left off other social media companies like Apple and LinkedIn

The Federal Trade Commission (FTC) turned up the heat on the social media big wigs on Monday. In a new mandate, the Commission will now require nine tech firms to disclose exactly how they collect and use data from their users.

Called on the carpet are the usual suspects -- Amazon, Facebook, and Twitter -- along with Google’s YouTube, TikTok’s owner ByteDance, Discord, Facebook’s WhatsApp, Reddit, and Snap. The companies have until January 28, 2021 to respond.

What is the FTC looking for?

Specifically, the FTC is leveraging Section 6(b) of the FTC Act, which gives it the authority to ask about how the companies “compile data concerning the privacy policies, procedures, and practices of [such] providers, including the method and manner in which they collect, use, store, and disclose information about users and their devices.”

Moving past the legalese, the FTC said that what it’s trying to ascertain is really more consumer-oriented. The questions it wants answered are:

  • “How social media and video streaming services collect, use, track, estimate, or derive personal and demographic information;

  • How they determine which ads and other content are shown to consumers;

  • Whether they apply algorithms or data analytics to personal information;

  • How they measure, promote, and research user engagement; and

  • How their practices affect children and teens.”

The commissioners weigh in

After making their demands, the FTC commissioners said that the agency is seeking more information in the best interest of consumers.

“Never before has there been an industry capable of surveilling and monetizing so much of our personal lives. Social media and video streaming companies now follow users everywhere through apps on their always-present mobile devices,” Commissioners Rohit Chopra, Rebecca Kelly Slaughter, and Christine S. Wilson said in a statement. 

“This constant access allows these firms to monitor where users go, the people with whom they interact, and what they are doing. But to what end? Is this surveillance used to build psychological profiles of users? Predict their behavior? Manipulate experiences to generate ad sales? Promote content to capture attention or shape discourse? Too much about the industry remains dangerously opaque.”

Commissioner Noah Joshua Phillips was the dissenting vote among the commissioners, saying that the move was an “undisciplined foray into a wide variety of topics.” He called his peers out for omitting other companies engaged in business practices similar to the nine companies named. Phillips asked why Apple, Gab, GroupMe, LinkedIn, Parler, Rumble, Tumblr, and WeChat weren’t also named. He answered his own question rather snarkily. 

“The only plausible benefit to drawing the lines the Commission has is targeting a number of high profile companies and, by limiting the number to nine, avoiding the review process required under the Paperwork Reduction Act...which is not triggered if fewer than ten entities are subject to request.”

The Federal Trade Commission (FTC) turned up the heat on the social media big wigs on Monday. In a new mandate, the Commission will now require nine tech f...
Read lessRead more

Russian hackers accused of hacking into government and private sector businesses again

Microsoft says that its user base and systems are safe

Russian hackers, believed to be working on behalf of the Kremlin, were apparently behind an attack into computer systems at the departments of the U.S. Treasury and Commerce that may have gone on for months before being detected. To make matters worse, people familiar with the matter feel that this situation just may be the tip of the iceberg.

According to U.S. officials and a report by National Public Radio (NPR), the Russian hackers broke into the email systems at those two government departments, and it was so consequential that it led to a National Security Council meeting at the White House on Saturday, one of the people familiar with the matter told Reuters.

It may not come to anyone’s surprise that Russia denies any involvement. The Russian foreign ministry took to Facebook to say the allegations were nothing more than another “unfounded attempt” by the American media to blame Russia for cyberattacks directed at U.S. agencies.”

Malicious actors

In the Department of Homeland Security’s response to the “known compromise,” it said that the hack involved SolarWinds Orion network monitoring products being exploited by malicious actors.

“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners -- in the public and private sectors -- to assess their exposure to this compromise and to secure their networks against any exploitation,” the DHS’ Cybersecurity and Infrastructure Security Agency said in a statement.

The Commerce Department and the National Security Council both confirmed the breach, but the agencies didn’t give any extra information about the extent of the hack or the measures that have been taken to secure the email accounts.

The private sector is also in danger

In addition to the government breaches, the hackers also wormed their way into the computer system bowels of private companies. 

More than 400 of the U.S. Fortune 500 companies use SolarWinds products, according to KrebsOnSecurity. That list includes all branches of the military, as well as all ten of the Top 10 communications companies, all five of the Top 5 accounting firms, and hundreds of colleges.

Security firm FireEye, which also happened to be hit by the hack, said cyber criminals inserted malware into SolarWinds updates that “(went) to significant lengths to observe and blend into normal network activity.” It also concluded that the breach is a “global campaign” and had confirmed intrusions in North America, Europe, Asia, and the Middle East. 

In a blog post late Sunday, Microsoft echoed FireEye’s assessment, saying that it believes the hack represents “nation-state activity at significant scale, aimed at both the government and private sector." The company also had words for its own users.

“We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations. As part of our ongoing threat research, we monitor for new indicators that could signal attacker activity,” the company said.

Russian hackers, believed to be working on behalf of the Kremlin, were apparently behind an attack into computer systems at the departments of the U.S. Tre...
Read lessRead more

Cybersecurity firm FireEye suffers major cyber attack

Russian hackers are reportedly being investigated as the likely culprit

FireEye, one of the nation’s leading cybersecurity firms, has shared details of a hack targeting its “Red Team” tools, which it uses to test customers’ security. The firm said there is concern that the hackers could publicly release the tools they accessed or use them to carry out other attacks. 

In a blog post, FireEye CEO Kevin Mandia said the attack was “different from the tens of thousands of incidents we have responded to throughout the years.” 

“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus,” Mandia wrote. “They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.” 

Russia reportedly a suspect

FireEye said it doesn’t currently have evidence that any customer information was taken. 

Although the company didn’t say in its report who it believes is responsible for the attack, the Wall Street Journal reported that state-sponsored Russian hackers are a likely suspect. A source familiar with the matter told the Journal that Russia is currently being viewed by investigators as “the most likely culprit.” 

“Moscow’s foreign-intelligence service, known as the SVR and one of two Russian groups that hacked the Democratic National Committee ahead of the 2016 presidential election, is believed to be responsible, the person said,” according to the Journal. 

FireEye didn’t specify when the hack took place or when it became aware of it. The hack is currently being investigated by FireEye, as well as the FBI and industry partners like Microsoft.

Since becoming aware of the attack, FireEye said it’s developed hundreds of countermeasures that can detect or block the use of any of its stolen tools. The firm said it has integrated the measures into its own security products and shared them with “colleagues in the security community.” 

FireEye said it will “continue to share and refine any additional mitigations for the Red Team tools as they become available.” 

FireEye, one of the nation’s leading cybersecurity firms, has shared details of a hack targeting its “Red Team” tools, which it uses to test customers’ sec...
Read lessRead more

Google researcher demonstrates serious iPhone security flaw

A since-fixed vulnerability could have given an attacker complete access to an iPhone within Wi-Fi range

A Google researcher has demonstrated an Apple security vulnerability that could have allowed hackers to gain full access to a person’s iPhone. A cyberattacker could have exploited the flaw without having the user download malware or click on a suspicious link. To fall victim, a user would have only had to be within Wi-Fi range. 

Ian Beer -- a security researcher with Google’s Project Zero -- explained in a video this week that it was possible for a Raspberry Pi setup with off-the-shelf Wi-Fi adapters to steal photos from an iPhone in a different room in a matter of minutes. The same security vulnerability also allowed Beer to repeatedly reboot 26 iPhones at the same time. 

Apple fixed the vulnerability in May, but Beer said he spent six months looking into the issue.

"Imagine the sense of power an attacker with such a capability must feel," Beer said in a blog post. "As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target."

Full access to a device

Through his extensive research, Beer found a “wormable radio-proximity exploit” that allowed him to gain “complete control over any iPhone in my vicinity.” He said he was able to view phones, read emails, copy private messages, and monitor everything that happens on a device in real-time. 

“The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine,” he wrote. “Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.”

Beer said he hadn’t seen any evidence that the flaw was exploited prior to being fixed, but he said consumers can never be too careful when it comes to the security of their mobile devices. Issues like these are likely to surface again. 

"As things stand now in November 2020, I believe it's still quite possible for a motivated attacker with just one vulnerability to build a sufficiently powerful weird machine to completely, remotely compromise top-of-the-range iPhones," Beer said.

A Google researcher has demonstrated an Apple security vulnerability that could have allowed hackers to gain full access to a person’s iPhone. A cyberattac...
Read lessRead more

Hacker sells email credentials of ‘hundreds’ of high level executives

Stolen account credentials are being sold for $100 to $1500 each

A hacker is reportedly selling access to email accounts belonging to “hundreds” of high level executives across the world. The accounts are going for $100 to $1500 each, depending on the value of each account. The targets include CEOs, vice presidents, and directors. 

The email and password combinations are being sold on a “closed-access underground forum for Russian-speaking hackers named Exploit.in,” according to ZDNet. The seller did not disclose how he obtained the login credentials, but he claimed to have hundreds of additional accounts to sell. 

ZDNet said a cybersecurity source has confirmed the validity of the stolen data. That source has begun the process of notifying all the affected companies. 

Scam potential 

If corporate executive login credentials fall into the wrong hands, both the executives and their workers could be affected. Cybercriminals can use compromised corporate email credentials for a variety of money-making schemes, KELA Product Manager Raveed Laeb explained to ZDNet. 

"Attackers can use them for internal communications as part of a 'CEO scam' - where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme,” Laeb said.

Stolen login credentials can also be “exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion," Laeb added.

To reduce the likelihood of such events unfolding, cybersecurity experts highly recommend using two-step verification or two-factor authentication for online accounts. Attackers won’t be able to do anything with stolen login details in cases where the user has set up 2SV or 2FA. 

A hacker is reportedly selling access to email accounts belonging to “hundreds” of high level executives across the world. The accounts are going for $100...
Read lessRead more

‘Password’ and ‘123456’ top list of worst passwords in 2020

Experts say these weak passwords have been cracked millions of times by hackers

Password manager NordPass has released its annual list of the worst passwords, and 2020’s list includes many of the same weak passwords as years prior. 

Consumers are still protecting their data with simple passwords that are infamous for being easy to crack, according to this year’s list. For example, NordPass found that millions of people are still using “password" and “123456” as passwords. The firm said the latter has been breached more than 23 million times. 

Many people may choose variations of the number bar because it’s quick and easy to type, but research has found that these frequently used passwords take less than a second to crack. Combinations of adjacent keys, such as “asdfghjkl” or “qwertyuiop,” have also been found to be highly vulnerable to cracking. 

Worst passwords of 2020

NordPass’s full list contains 200 of the most commonly used passwords, ranked by metrics such as how many times each password has been exposed and how long it would take an unauthorized party to crack it. 

Below are the top 20 worst passwords of the year. 

  • 123456

  • 123456789

  • picture1

  • password

  • 12345678

  • 111111

  • 123123

  • 12345

  • 1234567890

  • senha

  • 1234567

  • qwerty

  • abc123

  • Million2

  • 000000

  • 1234

  • iloveyou

  • aaron431

  • password1

  • qqww1122

Protecting your data

To keep sensitive data from being exposed, NordPass recommends making sure all passwords are unique and complex. This can be made easier through the use of a password manager or a third-party service like LastPass or Apple’s iCloud Keychain. 

NordPass also suggests enabling two-factor authentication when possible and deleting any old or inactive accounts. 

Password manager NordPass has released its annual list of the worst passwords, and 2020’s list includes many of the same weak passwords as years prior....
Read lessRead more

Microsoft says Russian and North Korean hackers attacked COVID-19 vaccine makers

The company says most of the attacks were throttled by its own security software

In all the hoopla regarding new vaccine test success from Moderna and Pfizer, Microsoft has uncovered a series of cyber attacks coming from Russia and North Korea targeted at research companies doing those tests.

In a blog post, Microsoft says the attacks targeted seven major pharmaceutical companies and researchers in Canada, France, India, and South Korea, and the U.S. Microsoft didn’t say which companies were targeted or what type of information may have actually been compromised or stolen, but officials said they had notified the organizations and offered help where the attacks were successful.

“Two global issues will help shape people’s memories of this time in history – COVID-19 and the increased use of the internet by malign actors to disrupt society. It’s disturbing that these challenges have now merged as cyberattacks are being used to disrupt health care organizations fighting the pandemic,” wrote Microsoft’s Tom Burt, Corporate Vice President, Customer Security & Trust.

“We think these attacks are unconscionable and should be condemned by all civilized society. Today, we’re sharing more about the attacks we’ve seen most recently and are urging governments to act.”

The attacks and the protection

There are actually three key players in the attacks: “Strontium,” an actor originating from Russia, and two actors originating from North Korea that Microsoft has dubbed “Zinc” and “Cerium.”

Strontium uses “password spray” and brute force login attempts to steal personal login credentials. The software it uses conducts millions of rapid attempts to crack a third-party’s personal data. Zinc’s game is to use spear-phishing lures for credential theft by sending messages with fabricated job descriptions pretending to be recruiters. And Cerium? The angle it works is spear-phishing with email lures using COVID-19 themes while masquerading as World Health Organization representatives. 

Luckily, Burt says the “majority” of the attacks have been blocked by security protections built into the company’s products. The company is continuing to make its threat notification service, “AccountGuard,” available for free to health care and human rights organizations working on COVID-19. 

The company says that 195 health care-related groups have enrolled in the service, and it now protects 1.7 million email accounts that those organizations serve.

In all the hoopla regarding new vaccine test success from Moderna and Pfizer, Microsoft has uncovered a series of cyber attacks coming from Russia and Nort...
Read lessRead more

Microsoft urges users to stop using phone-based multi-factor authentication

A company executive says app-based authentication is more secure

A Microsoft executive is urging users to move away from phone-based multi-factor authentication (MFA) mechanisms and instead embrace newer security technologies, like app-based authenticators and security keys.

In a blog post, Alex Weinert, Director of Identity Security at Microsoft, said app-based two-factor authentication provides greater security.

Weinert said telephone-based multi-factor authentication (MFA) solutions -- like one-time codes sent via SMS and voice calls -- are “based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.” 

“That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages,” he said. “Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.” 

MFA is ‘essential’

In 2019, Weinert penned a blog post in which he said that internal Microsoft statistics showed that users who enabled MFA blocked around 99.9 percent of automated attacks against their Microsoft accounts. 

In a follow up blog post earlier this week, he stressed that MFA itself is essential -- but the way people use it should change. If users have to choose between multiple MFA mechanisms, he said they should avoid phone-based MFA which can be intercepted by attackers. 

Weinert said a good place to start is by using Microsoft’s Authenticator MFA app. For even greater security, hardware security keys can be used. 

A Microsoft executive is urging users to move away from phone-based multi-factor authentication (MFA) mechanisms and instead embrace newer security technol...
Read lessRead more

FTC requires Zoom to enhance its security practices in new settlement

The company was accused of following deceptive and unfair practices

The Federal Trade Commission (FTC) announced a settlement with video conferencing platform Zoom on Monday that will require the company to implement a sturdier information security program. The FTC alleged that Zoom engaged in a series of “deceptive and unfair practices” that essentially undermined the security of its users.

The FTC’s complaint dates back to 2016 when the agency alleged that Zoom deceived users by falsely promising that it offered “end-to-end, 256-bit encryption” to secure users’ communications. Regulators said the falsehood created the possibility that other people (including Zoom) could read a user’s content. 

In the FTC’s eyes, Zoom also erroneously told users who wanted to store recorded meetings on the company’s cloud storage that those meetings were encrypted immediately after their meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.

Enter COVID-19

The matter was complicated further during the COVID-19 pandemic. Zoom’s reach skyrocketed from 10 million in December 2019 to 300 million in April 2020, putting even more users’ privacy at risk. 

Earlier this summer, the company attempted to soften the FTC’s angst by improving its security for all users versus only its paying subscribers, but those actions seemingly weren’t enough to appease regulators.

“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

What changes Zoom users will see

The FTC’s laundry list of changes that Zoom users are supposed to see thanks to the settlement include:

  • The annual assessment and documentation of any potential internal and external security risks and develop ways to safeguard against such risks;

  • Implementation of a vulnerability management program; and

  • Deployment of safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and taking steps to prevent the use of known compromised user credentials.

The FTC didn’t stop there, though. On top of those three key changes, Zoom agreed to review any software updates for potential security flaws and must ensure that software updates will not hamper third-party security features. The company has also agreed not misrepresent to the public its collection and use of personal information, and it will have an assessment of security program made by an independent third party every other year.

The Federal Trade Commission (FTC) announced a settlement with video conferencing platform Zoom on Monday that will require the company to implement a stur...
Read lessRead more

Platform used by Hotels.com and Expedia leaks data of ‘millions’ of guests

Security researchers don’t know whether the data has already been found by a cybercriminal

The hotel reservation firm Prestige Software has exposed the data of millions of guests worldwide, Website Planet reports

Prestige Software -- a platform that enables hotels to automate their availability on booking websites like Expedia and Booking.com -- reportedly stored files dating as far back as 2013 without any protection in place. 

Exposed information included names, credit card details, ID numbers, and reservation details. In some cases, logs contained personally identifiable information for multiple members included in a single booking.

No evidence of third party access 

At this time, it’s not known how long the trove of data was left unsecured or if any third parties accessed it. If the data was found by a cybercriminal, the party could steal identities, carry out phishing scams, or even hijack a reservation.

“Millions of people were potentially exposed in the data breach, from all over the world. We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” said researcher Mark Holden. “So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”

Website Planet said the firm quickly fixed the vulnerability after being alerted to the issue. 

Holden said that due to the sheer number of hotel and travel websites involved in the breach, it’s “impossible to help anyone already exposed if somebody found the data before us.” Clients of Prestige Software include Booking.com, Expedia, Hotels.com, and many others. 

“If you’re a customer of any of the websites listed in this report and are concerned about how this leak might impact you, contact the company directly to determine what steps it’s taking to protect your data,” Website Planet said.

The hotel reservation firm Prestige Software has exposed the data of millions of guests worldwide, Website Planet reports. Prestige Software -- a platf...
Read lessRead more

DOJ announces the largest seizure of cryptocurrency ever

The U.S. government continues to get smarter at tracking down illegal cyber activity

The U.S. government has taken control of $1 billion in bitcoin from the now-defunct online black market Silk Road. The capture represents the largest cryptocurrency seizure to date.

Silk Road ranks as the most infamous online criminal marketplace of its day, but the Department of Justice (DOJ) brought it to its knees in 2015 when it successfully prosecuted its founder, Ross Ulbricht, on seven counts that included unlawfully facilitating the sale of illegal drugs and money laundering. 

By the time Silk Road was brought to justice, it had reportedly generated sales revenue totaling over 9.5 million bitcoins. Commissions from these sales totalled over 600,000 bitcoins, which presumably went right into Ulbricht’s pockets.

Follow the money

This is where the story gets interesting. Before Ulbricht was sent off to prison, he sheltered a billion in bitcoins in a digital wallet and did his best to tuck away the wallet where it would be hard to find.

Someone referred to as “Individual X” supposedly hacked the Silk Road’s payments system some time in either 2012 or 2013. The DOJ says that Ulbricht “threatened Individual X for the return of the cryptocurrency,” but the mysterious hacker refused. 

Enter the DOJ and the Washington DC Cyber Crimes Unit. The group -- which is tasked with virtual currency transactions -- used a third-party bitcoin tracing company to analyze bitcoin transactions carried out by Silk Road and was able to identify 54 previously undetected transactions executed by the platform. An analysis showed that all of those transactions appeared to represent all proceeds of unlawful activity stolen from Silk Road.

The DOJ continued its hunt, and it cornered Individual X on November 3, 2020. The anonymous hacker agreed to hand over the stolen bitcoin and transfer it to the government's hands. The DOJ is mum on whether Individual X was arrested, cut a plea bargain, or even how their cooperation was attained.

“Criminal proceeds should not remain in the hands of the thieves,” IRS-CI Special Agent in Charge Kelly R. Jackson said in a statement. “The Washington DC Cyber Crimes Unit is uniquely specialized in tracing virtual currency transactions and we will continue to hone our skills to combat illegal activity.”

The U.S. government has taken control of $1 billion in bitcoin from the now-defunct online black market Silk Road. The capture represents the largest crypt...
Read lessRead more

Online community for marijuana growers suffers data breach

GrowDiaries users are urged to change their passwords

GrowDiaries, an online community of marijuana growers, has suffered a major data breach. 

Security researcher Bob Diachenko reported that GrowDiaries left two of its Kibana apps -- an open-source analytics and visualization platform normally used by a company’s development and IT staff -- exposed online without administrative passwords since September 22, 2020. 

One of the unsecured Kibana apps led to the exposure of sensitive information belonging to 1.4 million users of the site. Information exposed included passwords, email addresses, and IP addresses. The other database exposed user articles posted on the GrowDiaries site, as well as users’ account passwords. 

Diachenko said he discovered the unprotected database on October 10. 

“It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords,” he wrote. “The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.” 

GrowDiaries secured its server less than a week after Diachenko notified site administrators of the issue. Although the site has been secured, GrowDiaries users are still urged to change their passwords just in case their old password was exposed. 

Diachenko said he couldn’t say for sure if any other third-parties accessed the data while it was unsecured, but it “seems likely.” 

GrowDiaries, an online community of marijuana growers, has suffered a major data breach. Security researcher Bob Diachenko reported that GrowDiaries le...
Read lessRead more

Hospital information systems hit by new wave of ransomware attacks

The FBI is urging health care providers to take additional precautions to secure their networks

The Federal Bureau of Investigation (FBI) has warned that hospital information systems have been hit by coordinated ransomware attacks, which could possibly lead to disruptions in patient care. 

In a joint advisory on Wednesday, the FBI and two other federal agencies said malicious groups have levied several data-scrambling extortion attempts against hospitals and healthcare providers over the past few weeks. 

Officials said they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The attacks could lead to “data theft and disruption of healthcare services,” the agencies said. 

Attack on health care system

The warning coincides with an uptick in the number of COVID-19 infections nationwide. On Monday, an analysis of data from Johns Hopkins University showed 69,967 new COVID-19 cases in the U.S. In just the last week, the seven-day average of new cases has risen 20 percent.

Officials said the targeted ransomware attacks will likely create issues that will be “particularly challenging for organizations within the COVID-19 pandemic.” Institutions are urged to take precautions to protect their networks. Recommended precautions include regularly updating software, backing up data, and monitoring who is accessing their systems. 

In September, cyber attackers launched a highly coordinated ransomware attack on a major U.S. hospital chain. The incident forced some hospital employees to revert to using pen and paper to file patient information. 

In the most recent wave of attacks on hospital networks, malicious groups are using Ryuk ransomware -- software used to encrypt and secure files. The attackers are using the Trickbot network of infected computers to gain access to data, disrupt health care services and demand money from health care facilities in order to decrypt the files. 

The Federal Bureau of Investigation (FBI) has warned that hospital information systems have been hit by coordinated ransomware attacks, which could possibl...
Read lessRead more

Study finds most banks lack digital identity verification

FICO researchers found most require in-person visits to a branch

During the coronavirus (COVID-19) pandemic, more consumers than ever are using online banking. Yet a new survey shows banks in the U.S. and Canada are struggling to implement practices that combat online identity fraud and money laundering, without turning off their customers.

In an age of digital banking, the survey found that just over half of North American banks are still requiring customers to prove their identities by visiting branches or posting documents when opening digital accounts. 

The survey found the same situation in 25 percent of mortgages or home loans and 15 percent of credit cards opened online.

Rethinking their approach

"The pandemic has forced industries to fully embrace digital,” said Liz Lasher, vice president of portfolio marketing for Fraud at FICO, which commissioned the survey. “We now are seeing North American banks that relied on face-to-face interactions to prove customers' identities rethinking how to adapt to the digital-first economy."  

Andrew, of Scottsdale, Ariz., recently had this experience. In a post on ConsumerAffairs, Andrew told us that a fraud alert resulted in his Chase bank account being locked.

“I simply called their security department and was told it was closed out due to bank identity and that I would have to go into a branch and show 2 forms of ID's,” Andrew wrote in his post. 

Banks everywhere have instituted new procedures when fraud is suspected, a necessary measure considering the exponential growth of the crime. But Lasher says all banks should consider making the process as user-friendly as possible because it’s good for business in the long run.

"Today's consumers expect a seamless and secure online experience, and banks need to be equipped to meet those expectations,” she said. “Engaging valuable new customers, then having them abandon applications when identity proofing becomes expensive and difficult."

Slow to embrace digital verification

The study found that only 16 percent of North American banks use the type of fully integrated, real-time digital capture and validation tools that FICO says are required for consumers to securely open a financial account online. 

Some banks have adopted some form of digital verification, but the study found that in most cases, the experience “still raises barriers,” with customers expected to use email or visit an "identity portal" to verify their identities.

The authors suggest that banks create a “frictionless process” that will meet consumers' expectations. Failing to do so could lead to a loss of business.

According to FICO's recent Consumer Digital Banking study, 75 percent of customers said they would open a bank account online, but 23 percent of them would give up and go somewhere else if they faced a difficult or inconvenient identity verification process.

Three-quarters of the banks in the study told FICO they plan to invest in an identity management platform within the next three years.  

During the coronavirus (COVID-19) pandemic, more consumers than ever are using online banking. Yet a new survey shows banks in the U.S. and Canada are stru...
Read lessRead more

Dickey’s BBQ data breach compromises millions of credit card records

Customers are being warned to watch out for suspicious charges

More than 100 Dickey’s Barbeque Restaurants across the U.S. were involved in a data breach that spanned more than a year. 

KrebsOnSecurity reported that one of the dark web’s most popular stores for selling stolen credit card information was offering card numbers belonging to customers of Dickey’s Barbeque Restaurants. 

Around three million new credit card records were being offered this week on a dark web carding site called “Jokers Stash.” Security researchers at Gemini Advisory initially discovered the stolen credit card numbers for sale on the dark web marketplace. 

Long-running breach

Gemini said its analysis found that 156 of the eatery’s 469 locations across 30 states were compromised. The largest percentage of stolen numbers were from California and Arizona. The data was accessed between July 2019 and August 2020, the researchers said. 

“Given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations,” researchers said in a blog post.

Report suspicious charges

In a statement, the barbeque franchise said it’s aware of the safety incident and that it’s currently investigating its scope.

“We obtained a report indicating [that a] cost card safety incident might have occurred. We’re taking this incident very significantly and instantly initiated our response protocol and an investigation is underway. We’re presently centered on figuring out the places affected and time frames concerned,” Dickey’s said.

Consumers who have visited Dickey’s Barbeque in the past year are urged to monitor their bank accounts and credit card transactions and report any fraudulent or suspicious charges to their financial institution as soon as possible. 

More than 100 Dickey’s Barbeque Restaurants across the U.S. were involved in a data breach that spanned more than a year. KrebsOnSecurity reported that...
Read lessRead more

Barnes & Noble says cybersecurity attack may have compromised customer information

The breach affected its corporate systems and Nook platform

Barnes & Noble has disclosed that it was recently the victim of a cybersecurity attack, leading to "unauthorized and unlawful access to certain Barnes & Noble corporate systems."

In emails sent to customers, the bookseller said the personal data of some customers may have been accessed during the breach. The potentially exposed information includes customer email addresses, billing and shipping addresses, telephone numbers, and transaction histories. 

"It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems,” Barnes & Noble said in the email. "We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility.”

Barnes & Noble stressed that no financial data -- which it stores "encrypted and tokenized" for security purposes -- was taken or available to the hackers. However, the company warned that leaked email addresses could be used to carry out phishing campaigns. 

Nook platform affected

Nook Digital, the company’s eBook and e-Reader platform, was also affected by the breach. Since Sunday, Nook owners have been unable to download books to their devices. The bookstore giant acknowledged the issue in a tweet, telling customers that it was investigating the cause and that service restoration was taking longer than expected.

“We are continuing to experience a systems failure that is interrupting NOOK content. We are working urgently to get all NOOK services back to full operation. Unfortunately it has taken longer than anticipated, and we sincerely apologize for this inconvenience and frustration,” the company said.

Barnes & Noble assured customers that there was “no compromise of customer payment details” and said it will let users know when service has been restored.

“We expect NOOK to be fully operational shortly and will post an update once systems are restored,” the company wrote in an October 14 tweet. 

Barnes & Noble has disclosed that it was recently the victim of a cybersecurity attack, leading to "unauthorized and unlawful access to certain Barnes & No...
Read lessRead more

Facebook admits malware defrauded users out of $4 million

The company reimbursed users who lost money to the scheme

A band of Chinese digital wrongdoers have apparently ripped off Facebook users to the tune of $4 million. At Virus Bulletin’s virtual VB2020 conference, Facebook’s malware researchers and security analysts revealed that malware was found abusing Facebook's ad platform to run malicious ad campaigns that spammed users with phony celebrity endorsements and enticed them to make fraudulent purchases. 

Facebook’s security team coined the malware ‘SilentFade’ – ‘Silently running Facebook ADs with Exploits’ -- based on how the attacks were carried out. The malware’s M.O. was to infect users with the malware, then commandeer the users' browsers and make off with browser cookies and passwords.

Once they had that, the bandits searched for user accounts that had payment methods associated with their profile. At that point, SilentFade was off to the races, buying Facebook ads for things like keto pills and weight loss products with the victim's funds. 

All told, Facebook said the group was able to fleece more than $4 million from infected users. To make things whole, Facebook reimbursed the $4 million back to the victims for unauthorized ads purchased using their ads accounts.

Not exclusive to Facebook

Satnam Narang -- a staff research engineer at Tenable who has uncovered similar scams on other social media platforms like TikTok, Instagram, and Twitter -- noted that it’s a well-conceived, “cunning” scam designed to take advantage of Facebook’s billions of users while also providing the bad actors with a layer of protection against getting caught.

"Facebook’s research into SilentFade highlights how users seeking out pirated software are further exposed to additional risk in the form of malicious software that can silently take control of their Facebook accounts,” Narang told ConsumerAffairs. 

“Even if users aren’t directly affected by the SilentFade malware, its effect extends to Facebook users that encounter dubious advertisements for products that are counterfeit or misleading, such as phony diet pills. Users should not download pirated software and should be extremely skeptical of advertisements for discounted products at or phony diet pills."

What took so long?

The interesting twist is that it’s taken two years for Facebook to tell the world about this issue. The SilentFade mob was active between late 2018 and February 2019, when Facebook's security team first caught wind of their presence. Luckily, they were able to stop the gang’s attacks. 

It’s possible that Facebook was embarrassed by the attack’s stealth-like precision. 

“This was the first time we observed malware actively changing notification settings, blocking pages, and exploiting a bug in the blocking subsystem to maintain persistence in a compromised account,” the company’s researchers said, claiming that the scam actually became a “silver lining” that helped it detect compromised accounts going forward. 

A band of Chinese digital wrongdoers have apparently ripped off Facebook users to the tune of $4 million. At Virus Bulletin’s virtual VB2020 conference, Fa...
Read lessRead more

Ransomware victims could be fined by the government for making payments to hackers

New Treasury Department guidelines could lead to multimillion penalties for those who pay off cyber criminals

In an advisory published Thursday, the Treasury Department warned that individuals or companies that facilitate payments to ransomware extortionists could be fined by the U.S. government. 

Under its new guidelines, the Treasury Department said facilitating these payments could be in violation of anti-money laundering and sanctions regulations in cases where a group or hackers is either sanctioned by the U.S. Treasury or has ties to a cybercrime group that is sanctioned. 

Huge fines of up to $20 million could be incurred by firms or people that facilitate these payments. 

“Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” said the Treasury’s Office of Foreign Assets Control (OFAC).

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

The penalty could be handed down even if the company or individual was unaware that it was engaging or transacting with a sanctioned entity. Before deciding to make any sort of payment, ransomware victims are urged to contact the OFAC.

"OFAC encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus," the agency said. 

In an advisory published Thursday, the Treasury Department warned that individuals or companies that facilitate payments to ransomware extortionists could...
Read lessRead more

Anthem agrees to data breach settlement with 43 states

The company will pay $39.5 million to resolve charges stemming from the 2014 attack

Health benefits provider Anthem has reached a settlement with 43 states, resolving the last of a series of lawsuits over a 2014 cyberattack. The company will pay the states $39.5 million.

The company previously agreed to a more than $16 million settlement with the U.S. Justice Department to resolve privacy issues resulting from the hack that exposed personal information on nearly 79 million people.

“Protecting the privacy of its customers should be Anthem’s top priority, otherwise people are left vulnerable and exposed,” said Ohio Attorney General Dave Yost. “The fear of having your identity stolen is alarming and it will take time to rebuild that public trust.”

Through the combined action, Yost said Ohio will receive $1.88 million from the settlement. Other states will receive similar amounts. In addition to the payments, Anthem has also agreed to a series of data security and good governance provisions designed to strengthen its practices going forward.

“Data breaches have far-reaching and long-lasting effects on people’s lives,” said Florida Attorney General Ashley Moody. “When companies fail to protect customers’ personal information, they owe it to the public to disclose that information quickly and to take steps to protect them from further damage.”

Timing of disclosure

The timing of the disclosure was one of the central issues in the states’ case. In February 2015, Anthem disclosed to the public that hackers had gained entry to its systems beginning in February 2014 by using malware installed through a phishing email. 

Once inside, the attackers gained access to Anthem’s data warehouse, where they stole names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans. 

“Protecting consumer data is incredibly important, and when companies or corporations who store large amounts of consumer data fail to safeguard that data, they must be held accountable,” said Attorney General Eric Schmitt.

Improving security

In addition to the financial settlement, Anthem has agreed to strengthen its network security protocols to avoid similar incidents in the future.

Among the steps, Anthem said it will implement a comprehensive information security program that incorporates principles of zero-trust architecture and includes regular security reports made to the Board of Directors and prompt notice of significant security events to the CEO.

It has also agreed to an assessment and audit of its security practices by a third-party for three years.

Health benefits provider Anthem has reached a settlement with 43 states, resolving the last of a series of lawsuits over a 2014 cyberattack. The company wi...
Read lessRead more

Universal Health Services targeted by likely ransomware attack

Some hospitals were forced to file patient information with pen and paper due to the issue

Universal Health Services (UHS), one of the nation’s largest health care providers, disclosed Monday that its systems were affected by a highly coordinated ransomware attack. Employees at a major U.S. hospital chain said over the weekend that they couldn’t access their computers. 

UHS, which operates about 400 health care facilities across the U.S. and U.K., said an “IT security issue” was responsible for the issue.

“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible,” UHS said in a statement. “In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.” 

The company added that “no patient or employee data appears to have been accessed, copied or misused.” 

Forced to file information manually

A source familiar with the matter told NBC News that the attack “looks and smells like ransomware.” Hackers often wait to deploy ransomware over the weekend to take advantage of reduced staff members, NBC News noted.

The attack forced some UHS hospitals to file patient information manually, using pen and paper. In other instances, ambulances were redirected to other nearby hospitals. 

This isn’t the first time a hospital chain has been the target of a cyberattack. Earlier this month, Duesseldorf University Hospital in Germany was hit by a ransomware attack that resulted in a patient in critical condition having to be transferred to another hospital. The patient ended up dying while en route to the other facility. 

Universal Health Services (UHS), one of the nation’s largest health care providers, disclosed Monday that its systems were affected by a highly coordinated...
Read lessRead more

U.S. government places restrictions on China’s largest chipmaker

Officials say the company’s equipment could be used for military purposes

The United States has added China’s largest chipmaker, Semiconductor Manufacturing International Corporation (SMIC), to its blocked entity list. 

U.S. officials concluded that there is an “unacceptable risk” that equipment supplied by SMIC could be used for military purposes, Reuters reported. 

In the interest of protecting national security, the Commerce Department has decided to make it necessary for American companies to apply for individual export licenses in order to do business with the Chinese firm. 

Tightening trade restrictions

A spokesperson for SMIC said the company hadn't heard anything about the restrictions in the form of an official notice. It maintained that it’s not linked to the Chinese military in any way. 

“SMIC reiterates that it manufactures semiconductors and provides services solely for civilian and commercial end-users and end-uses,” the chip maker said. “The Company has no relationship with the Chinese military and does not manufacture for any military end-users or end-uses.”

The U.S. previously blacklisted Chinese telecom giant Huawei in an effort to prevent China from accessing critical chipmaking technology. The nation’s addition of SMIC to the blocked entity list will keep the semiconductor producer from getting key equipment and design tools from the U.S. 

The Commerce Department’s Bureau of Industry and Security didn’t comment specifically on the decision regarding SMIC. However, it said more broadly that it was “constantly monitoring and assessing any potential threats to U.S. national security and foreign policy interests.” 

The United States has added China’s largest chipmaker, Semiconductor Manufacturing International Corporation (SMIC), to its blocked entity list. U.S. o...
Read lessRead more

CISA issues emergency warning over Windows security flaw

Government agencies have been told to install a patch immediately

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has warned of a critical security vulnerability affecting Windows Servers used by federal officials.

CISA said a recently discovered flaw in Windows Netlogon Remote Protocol could allow an attacker with network access to “completely compromise all Active Directory identity services.” 

In its advisory, CISA urged government agencies to install a patch as soon as possible. Failure to patch the vulnerability, known as CVE-2020-1472, could have a “grave impact,” the agency said.

“We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary,” CISA said. “Left unpatched, this vulnerability could allow attackers to compromise network identity services.” 

Requires immediate attention

The flaw affects systems running Windows Server 2008 R2 and later, including recent ones using versions of Windows Server based on Windows 10. Government agencies have until September 21 to install the patch.

“We have directed agencies to implement the patch across their infrastructure by Monday, September 21, and given instructions for which of their many systems to prioritize,” CISA said.

Microsoft said it’s dealing with the vulnerability through a phased two-part rollout. The first phase will involve the installation of a security patch released last month, which will provide the first layer of protection. Another patch to further boost security will be released February 9, 2021.

“These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels,” the company said in a statement

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has warned of a critical security vulnerability affecting Win...
Read lessRead more

Personal information for 46,000 veterans exposed in data breach

The Department of Veterans Affairs says hackers were able to infiltrate its systems

The Department of Veterans Affairs (VA) said Monday that around 46,000 veterans had their personal information exposed in a data breach

The VA said that hackers gained unauthorized access to their systems with the aim of stealing payments that were meant to go to health care providers who provided treatment to veterans. Some veterans may have had their social security number leaked.

"The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the­ medical treatment of Veterans,” the Department said in an announcement. “The FSC took the application offline and reported the breach to VA’s Privacy Office.” 

Investigation in progress 

The VA added that hackers were able to breach the system by “using social engineering techniques and exploiting authentication protocols.” The agency said it’s launching a security review. 

"To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology," it added.

The Department said it’s notifying veterans whose information was exposed in the breach. In cases where the affected veteran is deceased, the Department will notify the next-of-kin. 

“The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised," the VA said. "Veterans whose information was involved are advised to follow the instructions in the letter to protect their data. There is no action needed from Veterans if they did not receive an alert by mail, as their personal information was not involved in the incident.” 

The Department of Veterans Affairs (VA) said Monday that around 46,000 veterans had their personal information exposed in a data breachThe VA said that...
Read lessRead more

Gaming hardware vendor Razer suffers data leak affecting up to 100,000 customers

Security researchers warn that scammers could launch phishing attempts using leaked information

Gaming hardware manufacturing company Razer accidentally leaked the data of as many as 100,000 customers, according to security researcher Bob Diachenko. 

Diachenko said in a report that the company misconfigured one of its Elasticsearch servers, leaving information available to the public and indexed by public search engines since August 18. The information leaked included customers’ full names, emails, phone numbers, and shipping addresses. 

It took Razer several weeks to respond to Diachenko, but the company finally responded and said it fixed the misconfiguration on September 9. The company claims that passwords and credit card information weren't involved in the leak.

"We would like to thank you, sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems," the company told Diachenko. "We remain committed to ensure the digital safety and security of all our customers."

Watch for suspicious emails

Improperly accessed information could be used by scammers to carry out phishing attempts, so Diachenko urges gamers to “be on the lookout for phishing attempts sent to their phone or email address.” 

“Malicious emails or messages might encourage victims to click on links to fake login pages or download malware onto their device,” he noted. “Razer customers could be at risk of fraud and targeted phishing attacks perpetrated by criminals who might have accessed the data.” 

Razer said customers with any questions about the leak can send a message to DPO@razer.com.

Gaming hardware manufacturing company Razer accidentally leaked the data of as many as 100,000 customers, according to security researcher Bob Diachenko....
Read lessRead more

Twitter reactivates option to download personal data

It’s a fairly simple three-step process

Smarting from the doozy of a Bitcoin scam that compromised the Twitter accounts of the rich and famous, the social media company closed down the ability to download archives of “Your Twitter Data.” Now that the dust has settled and the apparent chief perpetrator has been arrested, it’s bringing that feature back.

Twitter apologized profusely for the incident, which plundered the accounts of everyone from Warren Buffett to Kanye West. Collectively, victims of the scheme posted similar tweets asking for donations via Bitcoin, but hackers also got a hold of some of those celebrities’ “Your Twitter Data” archives -- an intrusion that not only had the potential to steal private messages, but also personal data. 

How to turn personal data back on

Twitter’s process for retrieving personal data is fairly simple. To access it, just go to Settings > Account > Your Twitter data. Then, type in your password and click to start the transfer. One note of warning for Twitter app users: you might be transferred over to Twitter’s mobile website, but the platform says there’s nothing to worry about if that happens.

Smarting from the doozy of a Bitcoin scam that compromised the Twitter accounts of the rich and famous, the social media company closed down the ability to...
Read lessRead more

Cisco warns of zero-day security flaw that was exploited by hackers

The company says a patch is on the way

Cisco has warned of a high-severity zero-day security vulnerability affecting its networking devices. 

In an advisory published Saturday, the company said the new security flaw affects its Internetwork Operating System (IOS), which ships with its networking gear. Cisco said the flaw was being actively exploited as recently as last week and that it’s still in the process of developing a patch. 

The networking device manufacturer said the flaw, dubbed the CVE-2020-3566 exploitation, could enable an unauthorized party to remotely execute an attack that exhausts process memory and creates instability in other processes running on the device.

"The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets,” Cisco explained. “An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device.” 

Exploitation attempts discovered

Cisco said it discovered exploitation attempts last week but didn’t provide details on what, if anything, the exploit attempts accomplished. The company only said what the flaw could allow an attacker to do. 

“A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes,” the company said. “These processes may include, but are not limited to, interior and exterior routing protocols."

Although Cisco didn’t provide an estimate of when a patch will be released, it did promise that one is on the way. 

While a patch is in the works, the company is urging users to rely on mitigation techniques, such as implementing either a rate limiter or an access control entry to an existing interface access control list. Details of these defensive strategies can be found in the company’s security advisory

Cisco has warned of a high-severity zero-day security vulnerability affecting its networking devices. In an advisory published Saturday, the company sa...
Read lessRead more

FBI, CISA warn of increase in ‘vishing’ attacks

Cybercriminals are taking advantage of businesses that have shifted to a work-from-home model

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have warned that the COVID-19 pandemic has led to an increase in voice phishing (or “vishing”) campaigns. 

In a joint cybersecurity advisory, the agencies noted that the pandemic has resulted in a “mass shift to working from home.” This has spurred an uptick in the use of corporate virtual private networks (VPNs) for malicious purposes. In July, cybercriminals launched a vishing campaign with the intent of monetizing the access to improperly accessed employee tools.  

“The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme,” authorities said in the advisory.

“Prior to the pandemic, similar campaigns exclusively targeted telecommunications providers and internet service providers with these attacks, but the focus has recently broadened to more indiscriminate targeting,” the alert continued. 

Highly effective attack 

The advisory was published less than 24 hours after security researcher Brian Krebs of KrebsOnSecurity published research about a group of cybercriminals that has been marketing a vishing campaign that relies on custom phishing sites and social engineering techniques to steal VPN credentials from employees. 

Citing interviews with several sources, Krebs said the bad actors have experienced “a remarkably high success rate.” 

The attackers operate “primarily through paid requests or ‘bounties,’ where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home,” the report said. 

Krebs explained that a typical attempt begins with a series of phone calls to employees working remotely at a targeted organization. 

“The phishers will explain that they’re calling from the employer’s IT department to help troubleshoot issues with the company’s virtual private networking (VPN) technology,” according to Krebs. “The goal is to convince the target either to divulge their credentials over the phone or to input them manually at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.”

Preventing vishing attempts

FBI and CISA officials offered several tips on how people can protect themselves against vishing attempts. 

Companies and organizations are advised to restrict VPN connections to managed devices only, to employ domain monitoring, and to “consider using a formalized authentication process for employee-to-employee communications made over the public telephone network.” 

Others are advised to be suspicious of unsolicited phone calls or email messages from unknown individuals claiming to be from a legitimate organization. End users should also limit the amount of personal information they post on social networking platforms. 

“If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement,” the advisory said. 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have warned that the COVID-19 pandemic has led to an...
Read lessRead more

Nearly 235 million accounts on Instagram, TikTok, and YouTube exposed in data breach

Users' names, ages, and account details were left in an unprotected server

If you’re a YouTube, TikTok, or Instagram user, hold on to your personal data, folks, because a gargantuan leak of social media profiles has shown up at the doorstep of these platforms.

According to an incident brought to light by researchers at Comparitech, Hong Kong-based Social Data exposed a database of close to 235 million social media profiles by not setting a password restriction or any other authentication required to access it. The exposed data includes these items from personal profiles:

  • Profile and real full name, age, and gender

  • Profile photo

  • Whether the profile belongs to a business or has advertisements

  • Statistics about follower engagement, including: number of followers, engagement rate, follower growth rate, audience gender/age/location, and likes

  • Last post timestamp

Based on samples Comparitech collected, it says that about 20 percent of the records also contained either a phone number or email address.

Scraping all it can find

Social Data’s model is anything but consumer-friendly, but at least it’s honest about what it does. In its Terms of Service, it admits that it “scrapes” the data of influencers who “have a presence on the Internet having in excess of a certain amount of followers (decided by the marketer) on various social media platforms.” In other words, let’s say you have 1,523 followers on Instagram and a marketer is looking for people who have at least 1,000, you would be a prime candidate to be scraped.

Web scraping is an old-hat way of automating the copying of data from web pages in bulk. The cost of doing it is relatively inexpensive, and that appeals to marketing firms that can’t afford more aboveboard methods. Social Data swears that it only scrapes what is publicly accessible, but the practice violates Facebook, Instagram, TikTok, and Youtube terms of use. 

Deep Social was banned from Facebook and Instagram in 2018, but apparently it found a way to worm its way back in. Comparitech says that the wormhole likely came about because automated scraping bots can be difficult to distinguish from normal website visitors. Because of that, social media platforms have a hard time preventing them from accessing user profiles until it’s too late.

Social Data defends itself

A Social Data spokesperson told Comparitech security researcher Bob Diachenko in an email that the data was not “hacked” because it was collected in a legal way. 

“Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access,” the spokesperson said.

“I would appreciate it if you could ensure that this is made clear,” the spokesperson continued in their email to Diachenko. “Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database. […] Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private. [sic]”

If you’re a YouTube, TikTok, or Instagram user, hold on to your personal data, folks, because a gargantuan leak of social media profiles has shown up at th...
Read lessRead more

Researchers discover ‘One Click’ security flaw in Amazon’s Alexa

Attackers could access voice history records and more to extract personal information

Researchers have discovered vulnerabilities in Amazon’s digital assistant, Alexa. 

In a report published Thursday, researchers from Check Point said they found that attackers could exploit a flaw in Amazon’s Alexa that could enable them to extract personal information. 

“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” wrote Oded Vanunu, head of products vulnerabilities research at Check Point. “Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”

Requires just one click of a malicious link

The team said they found several web application flaws on Alexa-related subdomains, including Cross-Origin Resource Sharing (CORS) and Cross-Site Scripting (XSS). 

The presence of these vulnerabilities could enable attackers to access personal information like home addresses or banking data, remotely install or remove skills on a user’s Alexa account, or extract the victim’s voice history. 

“Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker,” said Dikla Barda, of Checkpoint Research, who helped discover the vulnerabilities.

The team noted that Amazon doesn’t record users’ banking login credentials, but that information could be extracted via recorded interactions with the smart assistant. 

“Since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history,” said researchers. “We can also get usernames and phone numbers, depending on the skills installed on the user’s Alexa account.”

Prime targets to attackers

Given how many consumers use virtual assistants, Check Point said these devices are “attractive targets to attackers looking to steal private and sensitive information, or to disrupt an individual’s smart home environment.” 

“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” Vanunu said. “But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”

These devices “must be kept secured at all times to keep hackers from infiltrating our smart homes,” the researchers added. 

Researchers have discovered vulnerabilities in Amazon’s digital assistant, Alexa. In a report published Thursday, researchers from Check Point said the...
Read lessRead more

Calls made on 4G LTE mobile networks could be susceptible to hackers, experts say

A study has exposed a security issue in the widely used mobile network

While one recent study has highlighted the ways hackers can hack into consumers’ cell phones, a new study is looking at yet another way consumers’ privacy could be manipulated through the network they use.

According to researchers from Ruhr-University Bochum, cell phone calls made on 4G LTE mobile networks could be susceptible to hackers. Though these networks should be immune to such attacks, the researchers learned that an issue in their security systems could leave many consumers vulnerable to these types of threats.  

“Voice over LTE has been in use for six years,” said researcher David Rupprecht. “We’re unable to verify whether attackers have exploited the security gap in the past.” 

Not-so-private phone calls

The majority of consumers utilize LTE networks on their mobile phones to do everything from searching the internet to making texts and calls. One of the benefits of this kind of network is that it is designed to keep consumers’ data private. However, the researchers learned that this isn’t always the case. 

When consumers make private calls on their phones, the contents of such conversations are kept safe with a unique encryption code. When all calls have their own codes, consumers’ information can stay private. However, this study revealed that it’s rather easy for hackers to get repeated codes and ultimately steal information from consumers. 

“The attacker has to engage the victim in a conversation,” said Rupprecht. “The longer the attacker talked to the victim, the more content of the previous conversation he or she was able to decrypt.” 

The process needs to occur rather quickly, and the hacker needs to be in the same mobile network as the person they’re trying to copy information from for it to work. But if the conditions are right, the researchers explained that all a hacker has to do is call their target not long after they’ve ended a separate call to gain access to an encryption code to steal information. 

The researchers analyzed random calls made on an LTE network across Germany. They found that 80 percent of the calls they examined were affected by this kind of security breach.

While this is certainly cause for concern, the researchers noted that several mobile networks have already resolved this issue. However, it’s still very important for consumers to be aware of these potential vulnerabilities and to stay vigilant since it’s impossible to determine if the issue has been completely eradicated. 

While one recent study has highlighted the ways hackers can hack into consumers’ cell phones, a new study is looking at yet another way consumers’ privacy...
Read lessRead more

TikTok accused of tracking device data from Google Android users

An investigation claims the company tracked user data for 18 months before discontinuing the practice

Video-sharing platform TikTok has faced a great deal of scrutiny from U.S. regulators over its data collection practices and its connection to the Chinese government. While it has defended itself and even offered to share its algorithms with the cybersecurity community, a recent investigation by the Wall Street Journal suggests that it had been tracking Google Android users for months without their knowledge or consent.

The publication reports that TikTok circumvented Google privacy safeguards to collect MAC addresses from Android users for 18 months before stopping the practice last November, when scrutiny from the U.S. government was ramping up. MAC addresses can act as identifiers that are unique to individual devices and could be used to serve users targeted ads. 

The new finding contrasts starkly with the company’s reaction to an executive order issued last week that seeks to ban the app from the U.S. over data privacy concerns. 

“We want the 100 million Americans who love our platform because it is your home for expression, entertainment, and connection to know: TikTok has never, and will never, waver in our commitment to you. We prioritize your safety, security, and the trust of our community -- always,” the company said in a blog post.

Feds clash with TikTok

The Trump administration previously cited concerns that TikTok and other Chinese apps like WeChat are able to gather data and share that information with the Chinese government. 

“TikTok automatically gathers vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search history,” the administration’s executive order stated. “This data threatens to allow the Chinese Communist Party (CCP) access to Americans’ personal and proprietary information -- potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information and blackmail, and conduct corporate espionage.”

While the Journal’s investigation shows no evidence of this kind of agenda, the findings do place a dark cloud over the company’s stance on user privacy and security. In response to the report, a TikTok spokesperson reaffirmed that the company prioritizes user security.

“Under the leadership of our Chief Information Security Officer (CISO) Roland Cloutier, who has decades of experience in law enforcement and the financial services industry, we are committed to protecting the privacy and safety of the TikTok community. We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never given any TikTok user data to the Chinese government nor would we do so if asked,” the spokesperson said.

Regulators respond

In a statement to the Journal, Sen. Josh Hawley (R-Mo.) called on Google to take action to prevent TikTok and other apps from skirting its security to collect consumers’ data.

“Google needs to mind its store, and TikTok shouldn’t be on it. If Google is telling users they won’t be tracked without their consent and knowingly allows apps like TikTok to break its rules by collecting persistent identifiers, potentially in violation of our children’s privacy laws, they’ve got some explaining to do,” he said. 

Video-sharing platform TikTok has faced a great deal of scrutiny from U.S. regulators over its data collection practices and its connection to the Chinese...
Read lessRead more

Talkspace accused of mining private client data

Former employees claim the mobile therapy startup routinely used patient data for marketing purposes

Talkspace, a mobile app that enables users to message a certified therapist, has been accused of regularly mining data from the transcripts of clients' private therapy sessions.

Former Talkspace employees interviewed by the New York Times claimed the mobile therapy startup used data that was supposed to be kept private for marketing purposes. 

The former employees claim Talkspace had data scientists pull commonly used phrases from anonymized patient transcripts. These key phrases were then allegedly shared with the company’s marketing team, which used the information to target new customers. 

The report also alleges that Talkspace gave employees phones to post fake positive reviews to the App Store and Play Store.

Talkspace denies allegations

In a Medium post published over the weekend, Talkspace co-founders Roni and Oren Frank denied that the startup mined data for marketing purposes.

They said the Times article “misconstrues our work and makes false and uninformed assertions about patient privacy and certain marketing practices.” The founders said the former employee featured in the story “shared information that is from 2016 and is not accurate.” 

"Talkspace is a HIPAA/HITECH and SOC2 approved platform, audited annually by external vendors and has deployed additional technologies to keep its data safe, exceeding all existing regulatory requirements," they wrote.

Talkspace, a mobile app that enables users to message a certified therapist, has been accused of regularly mining data from the transcripts of clients' pri...
Read lessRead more

Capital One to pay $80 million over data breach

The company will be required to create new internal checks to stop it from happening again

Back in 2019, Capital One released details of a massive data breach that compromised the personal information of over 100 million consumers in the U.S. and Canada. Now, it’s being forced to pay the piper for its mistakes. 

The Office of the Comptroller of the Currency (OCC) announced this week that Capital One will pay an $80 million civil penalty due to the breach. The Federal Reserve Board is also requiring the company to upgrade its internal risk management systems, as well as its cybersecurity and information security practices, to prevent a similar breach from happening in the future. 

“The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner,” the OCC stated. 

Exposed information

At the time, the scope of the Capital One breach was compared to the infamous Equifax breach of 2017, which compromised the personal data of nearly 150 million Americans. 

The exposed information included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. The hacker responsible for the breach also accessed 140,000 Social Security numbers and 80,000 linked bank account numbers linked to secured credit card customers. Nearly 1 million Canadian Social Insurance numbers were also compromised. 

Back in 2019, Capital One released details of a massive data breach that compromised the personal information of over 100 million consumers in the U.S. and...
Read lessRead more

Twitter acknowledges security vulnerability affecting Android users

A flaw may have exposed private data of users running Android OS versions 8 and 9

Twitter has disclosed details of a new security vulnerability that may have exposed the direct messages of its Android device users. The company said Wednesday that the vulnerability could have exposed the data of Twitter users running devices with Android OS versions 8 and 9.

“This vulnerability could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like Direct Messages) by working around Android system permissions that protect against this,” Twitter said in a blog post

The issue, which is now fixed, was related to an issue that only a small fraction of Twitter users experienced. Twitter said it was linked to an Android OS security issue that only affects systems 8 and 9. Around 96 percent of people using Twitter for Android already have a security patch for this vulnerability, Twitter said. 

The issue didn’t impact users running Twitter for iOS or Twitter.com.

Notices sent to affected users

The social media platform said it doesn’t currently have any evidence that the vulnerability was exploited, but it “can’t be completely sure” that it wasn’t. In an effort to protect the small group of potentially vulnerable users, the company rolled out an update to its Android app to ensure external apps can’t access in-app data. 

Twitter also sent in-app alerts to those affected and required them to update their app to the latest version. Going forward, Twitter has promised to identify “changes to our processes to better guard against issues like this.”

“To keep your Twitter data safe, please update to the latest version of Twitter for Android on all Android devices that you use to access Twitter,” the company said. “Your privacy and trust is important to us and we will continue working to keep your data secure on Twitter.”

Twitter has disclosed details of a new security vulnerability that may have exposed the direct messages of its Android device users. The company said Wedne...
Read lessRead more

Twitter could face $250 million fine over improper use of user data

Regulators accused Twitter of using user data to target advertising between 2013 and 2019

Twitter warned investors on Monday that it could be slapped with an FTC fine of up to $250 million for using personal information provided by users for security purposes to instead target advertising. 

In its second-quarter 10-Q financial filing with the Securities and Exchange Commission (SEC), Twitter said it received a draft complaint from the FTC on July 28. The FTC alleged that the company’s actions violated a 2011 agreement requiring it to establish a more robust security program and stop misleading consumers about how it protects their personal information.

“The allegations relate to the Company’s use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019,” Twitter wrote. “The Company estimates that the range of probable loss in this matter is $150.0 million to $250.0 million and has recorded an accrual of $150.0 million.”

Twitter came clean about its use of user data for ad targeting back in October. At the time, the company said it “unintentionally" used some email addresses and phone numbers for advertising. The information was provided by users for account security purposes, such as setting up two-factor authentication. 

Twitter said in the financial filing that the matter “remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.” 

Impact of recent security breach 

The financial filing also gave an update on the potential impact of the site’s recent hacking. Last month, a 17-year-old hacker was allegedly able to gain access to a number of high-profile accounts to promote a cryptocurrency scam. Twitter said in the filing that the breach could hurt its reputation, affect its relationship with advertisers, and hinder its growth.

“This security breach may have harmed the people and accounts affected by it,” the company said in the filing. “It may also impact the market perception of the effectiveness of our security measures, and people may lose trust and confidence in us, decrease the use of our products and services or stop using our products and services in their entirety.”

Twitter warned investors on Monday that it could be slapped with an FTC fine of up to $250 million for using personal information provided by users for sec...
Read lessRead more

Trump set to ‘take action’ against TikTok and other Chinese apps

The Trump administration is concerned that TikTok's Chinese ownership poses a risk to national security

President Trump is poised to “take action” against Chinese apps, including TikTok, in the coming days, Secretary of State Mike Pompeo said Sunday. The Trump administration is concerned that the apps threaten national security. 

During an interview on Fox News' "Sunday Morning Futures," Pompeo said the administration believes TikTok, a social media video app owned by China-based Bytedance, could potentially feed data to the Chinese Communist Party. 

"Here's what I hope that the American people will come to recognize -- these Chinese software companies doing business in the United States, whether it's TikTok or WeChat, there are countless more ... are feeding data directly to the Chinese Communist Party, their national security apparatus -- could be their facial recognition pattern, it could be information about their residence, their phone numbers, their friends, who they're connected to," Pompeo said. 

"President Trump has said enough and we're going to fix it and so he will take action in the coming days with respect to a broad array of national security risks that are presented by software connected to the Chinese Communist Party,” he added. 

Pompeo said Trump “will make sure that everything we have done drives us as close to zero risk for the American people...That's the mission set that he laid out for all of us when we began to evaluate this now several months back. We're closing in on a solution and I think you'll see the President's announcement shortly.”

TikTok responds

TikTok has maintained that it would never give the Chinese government access to U.S. user data. In response to Trump’s threat on Friday to ban the platform in the United States, TikTok U.S. General Manager Vanessa Pappas posted a video saying the social media app is “not planning on going anywhere.”

“These are the facts: 100 million Americans come to TikTok for entertainment and connection, especially during the pandemic,” a company spokesperson said in a statement. “We've hired nearly 1,000 people to our US team this year alone, and are proud to be hiring another 10,000 employees into great paying jobs across the US.” 

“We are committed to protecting our users' privacy and safety as we continue working to bring joy to families and meaningful careers to those who create on our platform.” 

Cracking down on Chinese companies

President Trump’s planned action against TikTok and other Chinese apps would join other efforts to tighten U.S. security amid concerns over Chinese data sharing. Previously, the administration ordered the U.S. to stop buying equipment from Chinese telecom providers Huawei and ZTE. 

In July, the FCC formally designated the companies as national security threats, citing a “weight of evidence” that the companies could “cooperate with the country’s intelligence services” to harm U.S. communications. 

“With today’s Orders, and based on the overwhelming weight of evidence, the (FCC’s Public Safety and Homeland Security) Bureau has designated Huawei and ZTE as national security risks to America’s communications networks—and to our 5G future,” FCC Chairman Ajit Pai said in a statement at the time. 

President Trump is poised to “take action” against Chinese apps, including TikTok, in the coming days, Secretary of State Mike Pompeo said Sunday. The Trum...
Read lessRead more

Consumers are increasingly wary of how corporations handle their data

A survey suggests that most people want more control over how businesses use their personal information

As big tech companies get bigger -- and even smaller players dig deeper into consumers’ personal histories -- a survey suggests that the public is becoming increasingly wary.

A new survey from KPMG shows rising concern among consumers about how corporations use, manage, and protect their personal data. The survey found 56 percent of Americans want more control over their personal data and believe that both corporations and the government must work harder to protect consumer data.

Privacy appears to be a hot button topic with consumers, particularly when it comes to technology. Ninety-seven percent of consumers in the survey checked the box when asked if it’s an important issue.

At the same time, the survey suggests that consumers are deeply suspicious of what companies are doing with their data. Well over half --  68 percent -- don't trust companies to ethically sell their personal data.

"With consumers indicating that they see data privacy as a human right, and new legislation expected in the years ahead, it is critical that companies begin to mature privacy programs and policies," said Orson Lucas, principal, KPMG Cyber Security Services. "Consumer demands for the ethical use of data and increased control over their own data must be a core consideration in developing data privacy policies and practices.

Facebook and privacy

Facebook may offer a case in point in how consumers’ personal data gets packaged and sold. The issue burst into the headlines in 2018 when Facebook revealed that a political marketing firm, Cambridge Analytica, had gained unauthorized access to user data to target political ads in 2016.

There have been other revelations of the misuse of consumer data in the years that followed, including a 2019 disclosure which indicated that as many as 100 app developers retained data from user groups on the platform. 

In June, Google was sued for allegedly violating the privacy of millions of users by tracking their use of the internet via browsers set to “private” browsing mode. The lawsuit seeks at least $5 billion; $5,000 per user or three times actual damages, whichever is greater, according to the complaint.

While consumers overwhelmingly believe companies and the government need to do more to protect privacy, the KPMG survey also found consumers have some responsibility in that area too.

More than 40 percent of those in the survey said they often use the same password for multiple accounts, use public Wi-Fi, or save a card to a website or online store, even though they are aware that it poses a privacy risk.

"Part of the challenge for corporations will be getting employees and customers to do their part in protecting their own data," said Steve Stein, principal, KPMG Cyber Security Services.  

As big tech companies get bigger -- and even smaller players dig deeper into consumers’ personal histories -- a survey suggests that the public is becoming...
Read lessRead more

TikTok makes it algorithms available and says other tech companies should too

The company’s move is bold, but it could make itself look good

TikTok -- the Chinese video-sharing social networking service used by more than a billion people -- says it wants to be transparent. 

Given the recent run of bad luck the company has had with the U.S. government, Amazon, Wells Fargo, and others, there may be a number of doubters who think the idea sounds fishy, but the company seems to think that the only way to reverse its bad luck is by proving that it’s on the up and up.

When TikTok uses the word “transparent,” what it’s saying is that it is taking steps to give outsiders complete access to the algorithms its app uses to categorize and share users’ videos. To add some muscle to its offer, the company says it will let experts “observe our moderation policies in real-time.”

Opening up the algorithm

TikTok CEO Kevin Mayer laid out his vision in a blog post on Wednesday, cheerleading the notion that “fair competition and transparency benefits us all.” Coming clean about TikTok’s issues, Mayer admitted that the app’s Chinese origin is an elephant it can’t seem to get out of the company’s boardroom, 

“With our success comes responsibility and accountability. The entire industry has received scrutiny, and rightly so. Yet, we have received even more scrutiny due to the company's Chinese origins,” Mayer said. He then threw down a challenge to the company’s competitors.

“We will not wait for regulation to come, but instead TikTok has taken the first step by launching a Transparency and Accountability Center for moderation and data practices,” he said. “Experts can observe our moderation policies in real-time, as well as examine the actual code that drives our algorithms. This puts us a step ahead of the industry, and we encourage others to follow suit.”

Angling for a more favorable position

Timing is everything, and that’s not lost of Mayer. The big wigs at Amazon, Apple, Facebook, and Google were in D.C. to face the House of Representatives' Judiciary’s antitrust panel on Wednesday. Even though TikTok officials were spared being grilled in person, it’s pretty likely that the platform’s name will come up before the gavel closes the session.

In the past, Facebook boss Mark Zuckerberg has held up TikTok as an example of why American tech firms need to be free to counter the rise of China. In his prepared remarks, published Tuesday, Zuckerberg brought up the subject of competition between Facebook and its foreign rivals again by claiming that the playing field in China, in particular, is not level.

While Zuckerberg was waiting for his turn in front of legislators on Wednesday, Mayer took the opportunity to take a shot across Zuckerberg’s bow in hopes of making TikTok look like a good guy. 

“Facebook is even launching another copycat product, Reels (tied to Instagram), after their other copycat Lasso failed quickly,” Mayer wrote. “But let's focus our energies on fair and open competition in service of our consumers, rather than maligning attacks by our competitor – namely Facebook – disguised as patriotism and designed to put an end to our very presence in the U.S.”

TikTok -- the Chinese video-sharing social networking service used by more than a billion people -- says it wants to be transparent. Given the recent r...
Read lessRead more

Garmin confirms ransomware attack took down service

After a five-day outage, systems are coming back online

Garmin has confirmed that a ransomware attack was behind a system outage that customers dealt with for five days starting July 23. 

"Garmin is currently experiencing an outage that affects Garmin services including Garmin Connect," the company said in a statement last week. "As a result of the outage, some features and services across these platforms are unavailable to customers."

On Monday, the company said an external cyberattack “encrypted some of our systems” and disrupted many of its services.

“As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications,” the statement read. “We immediately began to assess the nature of the attack and started remediation.”

Garmin said it has “no evidence” that any customer data, including activity and payment information, was compromised or stolen. The fitness tracker and GPS maker said it’s restoring service, but it will take a few days before everything is completely back to normal. 

Sources told tech websites ZDNet, TechCrunch, and Bleeping Computer that the outage was caused by ransomware called WastedLocker, which is run by a cybercriminal group known as Evil Corp. 

Garmin has confirmed that a ransomware attack was behind a system outage that customers dealt with for five days starting July 23. "Garmin is currently...
Read lessRead more

Justice Department charges two Chinese hackers with attempting to steal COVID-19 research

The Department said the hackers were involved in a long-running global hacking campaign

The Justice Department on Tuesday charged two Chinese hackers with attempting to gain access to the United States’ COVID-19 research. 

The Department said the two individuals charged were involved in a global hacking campaign that spanned more than a decade. The hackers recently sought to exploit vulnerabilities in the computer networks of a Massachusetts biotech company carrying out COVID-19 vaccine research. 

In an 11-count indictment, the DOJ alleged that LI Xiaoyu and DONG Jiazhi “conducted a hacking campaign lasting more than ten years to the present, targeting companies in countries with high technology industries, including the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom.” 

The Department said the hackers were trained in computer applications technologies at the same Chinese university. Both individuals were working for the Chinese government’s Ministry of State Security and for their own personal financial gain. 

Targeting sensitive information

The industries allegedly targeted by the pair included high tech manufacturing, medical devices, industrial engineering, business, pharmaceuticals, and defense, among others. The Justice Department said there was at least one instance in which the hackers attempted to extort cryptocurrency by threatening to release the victim’s stolen source code on the internet. 

More recently, the hackers “probed for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments,” the Department said. There is currently no indication that the hackers were successful in obtaining any COVID-19 research. 

The indictment comes in the same month that intelligence officials said Russian hackers had attempted to target organizations carrying out coronavirus vaccine research. The charges filed today are the first to formally accuse foreign hackers of targeting ongoing COVID-19 research in the U.S., according to the Associated Press. 

“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research,” John C. Demers, assistant attorney general for national security, said in a statement.

The Justice Department on Tuesday charged two Chinese hackers with attempting to gain access to the United States’ COVID-19 research. The Department sa...
Read lessRead more

Russian hacking group accused of trying to steal COVID-19 vaccine research

The group is reportedly using malware and spear-phishing attacks

A Russian hacking group is reportedly targeting organizations carrying out research on a COVID-19 vaccine, according to intelligence agencies from the U.S., U.K., and Canada. 

In an advisory published Thursday by the UK National Cyber Security Centre (NCSC), security officials warned that a hacking group called APT29 (also called “the Dukes” or “Cozy Bear”) is targeting health care organizations in the three countries.

The group is using malware and spear-phishing attacks to try to steal coronavirus vaccine research. Officials didn’t say how much vaccine information the Russian group has stolen or how the group’s actions have impacted research efforts.

"APT29's campaign of malicious activity is ongoing, predominantly against government, diplomatic, think tank, healthcare and energy targets to steal valuable intellectual property," a press release on the advisory said.

History of hacking

The hacking group previously carried out a phishing attack on Hillary Clinton’s campaign chairman John Podesta in 2016. 

“APT29 has a long history of targeting governmental, diplomatic, think-tank, health care and energy organizations for intelligence gain, so we encourage everyone to take this threat seriously,” said Anne Neuberger, the National Security Agency’s cybersecurity director.

Dominic Raab, the U.K.’s foreign secretary, said it’s “completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic.”

“While others pursue their selfish interests with reckless behavior, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health,” Raab said in a statement, adding that the U.K. will "continue to counter those conducting such cyber attacks.” 

The NSA said it remains “steadfast in its commitment to protecting national security by collectively issuing this critical cybersecurity advisory as foreign actors continue to take advantage of the ongoing COVID-19 pandemic.” 

A Russian hacking group is reportedly targeting organizations carrying out research on a COVID-19 vaccine, according to intelligence agencies from the U.S....
Read lessRead more

Facebook admits to sharing user data in another personal data gaffe

The problem is fixed, but users have heard that before

Facebook has more egg on its face. Besides the bevy of advertisers pulling their ad dollars over the company’s stance on hateful content, the master spirit of social media has confessed that it erred in sharing the personal data of inactive accounts -- and for longer than it had the authority to do so.

In a blog post, Facebook’s Konstantinos Papamiltiadis, VP of Platform Partnerships, came clean about the mistake, saying that “in some instances” third-party apps collected data from inactive users past the 90-day window that Facebook’s Mark Zuckerberg committed to in the face of the Cambridge Analytics scandal.

What exactly happened

The example that Papamiltiadis used was if someone used a fitness app to invite their friends from their hometown to a workout. He said in an instance like that, Facebook didn’t recognize that some of the user’s friends may have been inactive for several months.

Papamiltiadis estimated that around 5,000 app developers continued to receive some sort of information -- like gender or the language spoken -- but that the company has yet to see any hard evidence that the issue went further than the permissions those inactive accounts originally gave when they signed up for the app.

“We fixed the issue the day after we found it. We’ll keep investigating and will continue to prioritize transparency around any major updates,” Papamiltiadis promised.

Going forward

Whether this is an incident error or an egregious one, Facebook quickly instituted new safeguards to keep this from happening again. 

Those new measures fall under a revision of Facebook’s Platform Terms and Developer Policies, which detail app developers' responsibility to safeguard data and respect people’s privacy when using its platform. Specifically, the company is putting limitations on the information developers can share with third parties without the explicit consent from a user. 

Papamiltiadis said that the updated policy should also strengthen data security requirements and spell out exactly when developers have to delete a user’s data.

Facebook has more egg on its face. Besides the bevy of advertisers pulling their ad dollars over the company’s stance on hateful content, the master spirit...
Read lessRead more

Consumers face big security risks in shift to working from home, study finds

Personal data could be more at risk in this new environment

Millions of Americans have been working from home since late March and are likely to continue doing so well into next year.

While the threat from scammers targeting individuals has been quick to emerge, a new IBM study has found a host of security issues resulting from this new trend that pose risks to corporations and consumers’ personal information.

At the office, employees usually work on highly secure networks with robust safety protocols. At home, the IBM study found employees are using their home WiFi and are often completing work on personal laptops.

‘Long-lasting reality’

Businesses and employees were thrust into the work-at-home world suddenly, with little to no time for planning. The study authors found that most of the employees now working from home had little to no experience doing so before the pandemic closed their offices.

The study authors worry that cybercriminals will have a much easier time breaching an employee’s home security network than they would breaking into a corporate network. They point out that customer service agents who worked in closely managed call centers are now managing sensitive customer data at home.

"Organizations need to use a risk-based approach with work-from-home models, then reassess and build from the ground up," said IBM’s Charles Henderson. "Working from home is going to be a long-lasting reality within many organizations, and the security assumptions we once relied on in our traditional offices may not be enough as our workforce transitions to new, less controlled surroundings."

Henderson says businesses need to be playing catch-up. IBM found that most employees now working from home are confident in their company's ability to keep personally identifiable information secure in this new environment. But 52 percent said they are using personal laptops to work at home, and 45 percent said they haven’t received any specific training.

Policy lapses

The study contains a virtual catalog of additional policy lapses that could expose business and consumer data. Specifically, the study found that:

  • More than half of employees have not been provided with new guidelines on how to handle highly regulated data while working from home;

  • More than 50 percent of respondents don't know of any new company policies related to customer data handling, password management, and other sensitive information;

  • More than 50 percent of new work from home employees are using their own personal computers for business use, but 61 percent say their employer hasn't provided tools to properly secure those devices; and

  • Sixty-six percent of employees have not been provided with new password management guidelines, which could be why 35 percent are still reusing passwords for business accounts.

While there have been no major data breaches reported since employees began working from home, the current trends are not encouraging. A recent analysis by researchers at cybersecurity company Tessian found just over half of home-bound employees are engaging in riskier behavior, such as using email to share sensitive files instead of more secure means of communication. 

Millions of Americans have been working from home since late March and are likely to continue doing so well into next year.While the threat from scamme...
Read lessRead more

Nintendo says 300,000 accounts were hacked

The company says it discovered additional breached accounts after continuing an investigation started in April

Nintendo disclosed on Tuesday that 300,000 accounts have been compromised by hackers since the beginning of April. 

In a statement on its website, originally written in Japanese, the company said a higher number of malicious attackers used users’ Nintendo Network IDs without their permission than previously believed. 

In April, the company said 160,000 accounts were breached. On Tuesday, the company said it found, after continuing its investigation, that the figure is actually around 300,000. However, Nintendo said only a small number of hacked accounts were used to make purchases or to buy items on Nintendo's platform.

Nintendo says credit card information wasn’t exposed, but multiple reports said hackers gained access to “PayPal funds linked to the Nintendo eShop and used them to purchase game currencies like Fortnite’s ‘V-bucks’ and, in some cases, hundreds of dollars worth of games,” the Deseret News reported in April.

Emailing affected users

Nintendo said it is almost done issuing refunds to customers whose accounts were used to make fraudulent purchases. 

Affected users will receive an email from the company urging them to update their passwords. Users can also set up two-factor authentication for additional security. People who previously used a Nintendo Network ID to log in are now urged to use their Nintendo account email address instead. 

When Nintendo first announced the breach, it promised to “make further efforts to strengthen security and ensure safety so that similar events do not occur.” 

Nintendo disclosed on Tuesday that 300,000 accounts have been compromised by hackers since the beginning of April. In a statement on its website, origi...
Read lessRead more

Zoom won’t offer encryption for free users to comply with law enforcement

Free calls won’t be encrypted so that law enforcement can access information in the event of ‘misuse’ of the platform

Video conferencing platform Zoom has confirmed that its free users won’t get end-to-end encryption -- which is strongly recommended by privacy advocates -- because law enforcement may need to access these calls in the event that the platform is “misused.” 

“We think this feature should be a part of our offering” for professional customers, said Zoom CEO Eric Yuan in a meeting with investors Tuesday. “Free users — for sure we don’t want to give [them] that, because we also want to work together with the FBI, with local law enforcement, in case some people use Zoom for a bad purpose.”

The policy has drawn criticism from security experts, who have taken issue with Zoom’s requirement of a payment in exchange for end-to-end encryption. 

“This is a bizarre policy to say the least. Zoom. Perhaps it should have said ‘Y’all free users are just potential criminals. Y’all don’t deserve e2e protection,’” tweeted user PrivacyMatters.

Privacy problems

Zoom has dealt with a number of security issues in recent months, some of which transpired due to the unexpected surge in the number of Zoom users. One such issue was a phenomenon known as “Zoombombing," where hackers infiltrate and disrupt private chats. 

Zoom has also been accused of sending data from users of its iOS app to Facebook and making false claims that video calls were encrypted. Additionally, half a million Zoom accounts have surfaced on the darknet.

In an effort to address security shortcomings, Zoom acquired Keybase, an end-to-end encryption start-up. But based on the latest information, a majority of Zoom calls will remain unencrypted. 

A company spokesperson said that Zoom “does not proactively monitor meeting content, and we do not share information with law enforcement except in circumstances like child sex abuse.” Additionally, Zoom says it doesn’t, and will never, have “backdoors where participants can enter meetings without being visible to others.” 

“Zoom’s end-to-end encryption plan balances the privacy of its users with the safety of vulnerable groups, including children and potential victims of hate crimes. We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.”

Video conferencing platform Zoom has confirmed that its free users won’t get end-to-end encryption -- which is strongly recommended by privacy advocates --...
Read lessRead more

Apple releases update with patch for recently discovered jailbreak

The company has released iOS 13.5.1, which it says ‘provides important security updates’

Apple has released a patch for a jailbreaking tool uncovered last week by hacking group Unc0ver. The group recently found that Apple’s just-released iOS 13.5 could be the target of a new jailbreak which could unlock all iPhones running iOS 11 and above. 

In its release notes for the update, Apple said it “provides important security updates and is recommended for all users.” 

The jailbreak was shared at the end of May, just a few days after Apple released iOS 13.5. The hacking group that discovered it said it utilized exceptions that enabled security to remain intact; programs would keep running separately so they couldn’t access unauthorized data. 

"This jailbreak basically just adds exceptions to the existing rules," the jailbreak’s lead developer told WIRED. "It only enables reading new jailbreak files and parts of the file system that contain no user data."

Experts say jailbreaking -- or the process of hacking an iOS device to get around software restrictions put there by Apple for security purposes -- can potentially open a device to security risks. Jailbreaking a device removes Apple’s security protections and can allow hackers to steal personal information, damage your device, attack your network, or introduce malware, spyware or viruses.

The jailbreak discovered by Unc0ver was said to be the first zero-day jailbreak release since iOS 8.

Apple has released a patch for a jailbreaking tool uncovered last week by hacking group Unc0ver. The group recently found that Apple’s just-released iOS 13...
Read lessRead more

Hacker discovers vulnerability in Apple’s ‘Sign in with Apple’ feature

A security researcher was paid $100,000 for finding the now-patched vulnerability

A security researcher from Delhi discovered a vulnerability in Apple’s “Sign in with Apple” feature, first introduced in June 2019. The flaw could have allowed a malicious party to take over an account with only an email ID. 

Apple paid the person who discovered the vulnerability 100,000 through its bug bounty program. Now that the bug has been fixed by Apple, the person who discovered it -- Bhavuk Jain -- published a disclosure about it. 

“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” Jain wrote. “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.” 

Vulnerability patched

When Apple introduced its “Sign in with Apple” feature in 2019, it touted it as a "more private way to simply and quickly sign into apps and websites." A user could sign up with third-party apps and services without needing to provide their Apple ID email address.

The vulnerability reported on May 30 was eye-opening because it could have allowed an attacker to take over users’ accounts regardless of whether the victim used a valid Apple ID email or not. Forbes noted that the flaw was also a shocker because Apple didn’t discover it during development. 

Jain said he found that he could request authentication tokens for any Email ID from Apple and “when the signature of these tokens was verified using Apple’s public key, they showed as valid.” 

“This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” he wrote. 

Jain noted that an internal investigation carried out by Apple concluded that no account compromises or misuse had occurred before the vulnerability was patched.

A security researcher from Delhi discovered a vulnerability in Apple’s “Sign in with Apple” feature, first introduced in June 2019. The flaw could have all...
Read lessRead more

Mastercard introduces new consumer protections at the gas pump

The company says its an interim measure before all gas pumps have EMV chip technology

To combat the growing plague of credit card fraud at the gas pump, Mastercard has launched a program to protect consumers using payment cards at gas pumps that haven’t upgraded to EMV terminals.

At the same time, Mastercard said it is giving gas stations additional time -- until April 16, 2021 -- to make the change to the more secure system before facing liability for fraudulent transactions.

Scammers have replaced old fashioned credit card skimmers that stole customers credit card numbers with new technology that steals the information digitally. Mastercard reports that fraud at gas pumps made up 17 percent of all credit card fraud losses in the fourth quarter of 2019.

Safer system

The company’s new consumer protection program is aimed at providing the merchant and lenders with tools to help them navigate the heightened risk that this particular brand of fraud is presenting.

“Many fuel companies have made the shift to a safer and more secure EMV environment, and we applaud them for doing so,” said Kush Saxena, executive vice president, US Merchants and Acceptance, Mastercard. “However, we also recognize and respect the complexities to upgrade to safer and more secure EMV transactions at fuel dispensers over the next few months.” 

EMV terminals read an embedded chip on the card containing encrypted data. It is now almost universally used for point-of-sale transactions. It has only been in the last few months that this technology has begun to be added to fuel pumps.

The new Mastercard program provides a differentiated layer of protection that the company believes will make the transition from gas pump transactions using the old swipe card readers more effective and safer.

How it works

Mastercard issuing banks will receive enhanced data on high-risk fraud transactions at fuel merchants and will use that information to decide whether to authorize the purchase. In that way, Mastercard says fraud can be stopped before it starts.

The company’s Safety Net and Fraud Rules Manager programs will be upgraded to aid in their decision-making criteria, providing additional protection for their cardholders at fuel pumps.

In late 2019, Visa issued a security alert warning that gas pump thieves were stealing card information without physically altering the gas pump card reader. Instead, they breached the merchant’s payment network and planted malware to collect the data.

To mitigate gas pump credit card fraud, BP recently introduced an app that can be used to pay for gasoline purchases online without physically using a payment card. The app automatically bills the purchase to the card on file.

Mastercard says upgrading all gas pumps in the U.S. to use EMV technology is the best way to stop scammers in their tracks. It says payment card fraud at U.S. gas stations that installed the new technology fell 88 percent between 2015 and 2019.

To combat the growing plague of credit card fraud at the gas pump, Mastercard has launched a program to protect consumers using payment cards at gas pumps...
Read lessRead more

EasyJet’s hack compromises 9 million customer records

With the pandemic forcing businesses to work at reduced staffing, this seems to be a growing trend

If you’re a traveler who has flown anywhere in Europe using EasyJet, heads up. Tuesday morning, the low-cost London-based airline disclosed that its customer database had been pillaged by a “highly sophisticated” source. 

The airline told the stock market world that unauthorized access to its systems has been completely sealed off. Still, for the 9 million customers who had their email addresses and travel details compromised and the 2,208 customers who had their credit card details exposed, that’s anything but good. The airline said affected customers will be contacted by the airline no later than May 26. 

EasyJet CEO Johan Lundgren said in a statement that the company takes cybersecurity seriously but that “this is an evolving threat as cyber attackers get ever more sophisticated.”

Cyber attacks more common during pandemic

With the pandemic forcing businesses to work with minimum staff, this digital raid might have been expected. 

“It comes as no surprise that well-known organizations who are very publicly affected by the pandemic -- and are known to have furloughed lots of staff -- would be the targets of sophisticated cyberattacks, with the potential to cause significant reputational damage,” Andrew Tsonchev, director of technology at cybersecurity firm Darktrace told CNBC.

While Tsonchev is only speculating, there might be a stick-up that may yet come out of this. “Globally ... we’ve seen an uptick in highly targeted and sophisticated attacks like these,” he said. 

“Access ‘downstream’ to clients and customer data is often the goal of these attacks, as withholding this data secures not only secures a quick ransom payout at a time when companies are keen to keep cost down, but can also provide vital nuggets of information to launch secondary attacks.”

Think you might be affected?

As is pretty much standard in these situations, Lundgren did his best to give the airline’s customers some solace, suggesting that they be “extra vigilant” if they get an email that purportedly comes from the airline or its travel arm EasyJet Holidays. 

ConsumerAffairs has a couple of other smart moves to suggest: If you’ve done ANY business with EasyJet, be on alert for any unusual activity on your credit cards or bank accounts, change passwords for your EasyJet and any related accounts, and check with HaveIBeenPwned to see if your email address has been compromised in this (or any other) data breach.

If you’re a traveler who has flown anywhere in Europe using EasyJet, heads up. Tuesday morning, the low-cost London-based airline disclosed that its custom...
Read lessRead more

Apple, Google announce privacy safeguards for COVID-19 exposure app

The program will allow public health authorities to alert consumers of a potential exposure to a person with COVID-19

Apple and Alphabet’s Google announced on Monday that they will disable location tracking in apps that use their coronavirus tracking program, “Contact Tracing,” with the aim of ensuring user data is protected. 

Apple and Google announced the new program in April, saying it would allow them to send alerts to consumers who may have been in contact with someone who was exposed to COVID-19. The companies said the goal of the program was to slow the spread of the novel virus and help facilitate society’s return to normal. 

The companies said at the time that user privacy and security was “central to the design” of the program, although Apple did say it would collect “some information.” After the program was announced, the Senate Finance Committee raised concerns about the privacy implications of the program. 

Apple assured senators that Contact Tracing was developed with layers of “technical and administrative safeguards” to protect data as it’s being transported. Additionally, the company said only authorized public health authorities would be allowed access to that data. 

‘Privacy-preserving’ tech 

On Monday, the two companies announced that they would ban the use of location tracking in apps that use the program. Apple and Google said their priority is protecting user privacy and preventing governments from using the system to collect data on consumers. 

The program uses Bluetooth signals from people’s phones to detect encounters, but it doesn’t use or store GPS location information. Apple and Google said Monday that they will allow only one app per country to use Contact Tracing to avoid fragmentation between different systems and allow all smartphones to work together.

The companies are expected to push the new software to consumers’ smartphones automatically later this month. 

“All of us at Apple and Google believe there has never been a more important moment to work together to solve one of the world’s most pressing problems,” the companies said in a statement. “Through close cooperation and collaboration with developers, governments, and public health providers, we hope to harness the power of technology to help countries around the world slow the spread of COVID‑19 and accelerate the return of everyday life.” 

Apple and Alphabet’s Google announced on Monday that they will disable location tracking in apps that use their coronavirus tracking program, “Contact Trac...
Read lessRead more

Google bans use of Zoom on employee computers

Following a boom in popularity, Zoom is facing backlash over its security shortcomings

Google is banning the use of video conferencing application Zoom by its employees due to security concerns. 

The number of Zoom users ballooned recently after more Americans began working remotely to slow the spread of the coronavirus. But after use of the platform surged, it became evident that Zoom’s security measures weren’t enough to support its new popularity. 

On Wednesday, Buzzfeed reported that Google sent its employees an email last week telling them that if they had the Zoom app installed on their work computers, they would soon find that the software no longer functioned.  

“We have long had a policy of not allowing employees to use unapproved apps for work that are outside of our corporate network,” a Google spokesperson told Buzzfeed. “Recently, our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees.” 

The spokesperson added that employees who have been using Zoom to stay connected with family and friends can “continue to do so through a web browser or via mobile.”

Security vulnerabilities 

As Zoom’s traffic dramatically increased, so did incidents of harassment on the platform. “Zoombombing” -- where a hacker disrupts a meeting with racist remarks, aggressive language, pornographic content, or even death threats -- has rattled Zoom users and prompted the FBI to issue a statement saying the offense is “punishable by fines and imprisonment.” 

Other Zoom vulnerabilities have included undisclosed data sharing with Facebook, exposed Zoom recordings and LinkedIn profiles, and a “malware-like” installer on the Mac version of the app.

In light of the apparent privacy issues, New York City’s Department of Education recently announced that educators who use Zoom as a platform to teach remotely would need to gradually transition to other virtual classrooms in light of the security vulnerabilities on Zoom. 

The DOE said it received “various reports documenting issues that impact the security and privacy of the Zoom platform.” 

“Based on the DOE’s review of these documented concerns, the DOE will no longer permit the use of Zoom at this time,” the Department said last week. “Schools should move away from using Zoom as soon as possible.” 

Zoom founder and CEO Eric Yuan said in a recent blog post that supporting the influx of users has been a “tremendous undertaking,” but his company is doing everything it can to strengthen security measures. Zoom said it would temporarily pause new features on the app for 90 days while it focuses on improving security and privacy. 

Google is banning the use of video conferencing application Zoom by its employees due to security concerns. The number of Zoom users ballooned recently...
Read lessRead more

Marriott announces second major data breach in two years

More than 5 million guest records were stolen in the latest breach

For the second time in two years, Marriott International has disclosed that it suffered a massive data breach. The most recent breach of consumer data, which was disclosed on Tuesday, affects roughly 5.2 million guests. 

Information compromised in the breach included names, contact details, and addresses. The hotel chain said the data may have been accessed starting in January via the login information of two employees. 

“At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” the company said in a statement. “We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.” 

Marriott said its investigation into the matter is ongoing. However, company officials said they have “no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.” 

Affected customers received an email on Tuesday informing them of the discovery. Marriott has also set up a website where guests can submit a request to see if their information was involved in the breach. 

Second incident in two years

In 2018, Marriott announced that it suffered a data breach involving the names, addresses, contact information, and passport numbers of over 300 million guests who checked into one of its Starwood hotel locations. The company said at the time that an investigation revealed that unknown parties gained access to the database at some point during 2014. 

Following the most recent breach, Marriott outlined a number of steps that impacted guests can take to protect their information. The company said affected Marriott Bonvoy members will have their accounts automatically disabled and will need to change their password the next time they log in. 

For all guests who think they may have been affected, Marriott recommends signing up for credit monitoring, changing your password, enabling two-factor authentication, and keeping a lookout for potential fraud emails.

Room for improved cybersecurity practices

The latest breach calls into question improvements made in security in the wake of the breach that occurred in 2017, said Tyler Moffitt, a senior threat research analyst at Webroot

“While this breach is not as widespread as the previous incident, it is still worrisome, with names, phone numbers, emails and other sensitive information released,” Moffitt told ConsumerAffairs. 

“This second offense is apparently the result of two employees' credentials improperly accessing guest information, which further amplifies the need for companies to be aware of malicious insiders and put better cybersecurity practices into place for credential abuse and permissions.” 

Regardless of whether they are affected by this particular breach, consumers “need to be wary of the personal information they share with companies and make sure it’s protected, including regularly updating passwords and implementing credit monitoring,” Moffitt said.

For the second time in two years, Marriott International has disclosed that it suffered a massive data breach. The most recent breach of consumer data, whi...
Read lessRead more

Zoom’s privacy practices questioned by New York Attorney General

Consumers need to know exactly what data they’re letting platforms see and use

As the spread of COVID-19 forced the world to start hunkering down from home and using technology like videoconferencing to hold virtual meetings, religious services, and family get-togethers, remote conferencing service Zoom has taken off like a rocket. In Italy alone, during the peak week of its crisis, the Zoom app was downloaded more than a half-million times.

Getting lots of love is welcome at any technology company, but Zoom’s rise has created a lift-the-covers look-see from New York Attorney General Letitia James, who wants to make sure the company’s data privacy and security practices are up to snuff.

According to the New York Times, the Attorney General’s office sent Zoom a letter pointedly asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers.

Who’s zooming who?

While the Attorney General says her office regards Zoom as “an essential and valuable communications platform,” her letter details several concerns. James suggests that the company has slacked on its efforts to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams” -- a novelty some refer to as “Zoombombing.” 

Unfortunately, this novelty is anything but fun. It has allowed mavericks to take advantage of a Zoom screen-sharing feature to hijack meetings and butt in on educational teleconferences and Sunday School group meetings. Some hackers have even gone so far as posting white supremacist messages while a webinar on anti-Semitism was going on. 

Someone bringing up the subject of security flaws is nothing new to Zoom. In July, 2019, security research company Checkpoint Research notified Zoom that it had detected a flaw in the company’s system that “allowed a threat actor to potentially identify and join active meetings” by using randomly generated meeting IDs. When Checkpoint tested out the hackers’ method, it was able to successfully mimic that break-in technique roughly 4 percent of the time. 

In response, Zoom made changes that would keep those bad actors from joining meetings at their will by building in a trigger that would cause hackers’ devices to be blocked for a period of time if they repeatedly attempted to scan for meeting IDs. 

Zoom updates its privacy policy

ConsumerAffairs thought it might be interesting to take a comparative look at Zoom’s privacy policy as of March 29 -- about the time the company should have received the AG’s letter -- to see how it framed its privacy policy a week or so before (March 18, 2020). What we found indicates that Zoom has taken a much harder look at how it articulates what its users should expect when it comes to privacy and what uses the company allows for itself.

To its credit, Zoom made its policy easier to understand and more straightforward. For example, it did away with the whitewashing of how it went about data collection and scrapped gauzy phrases like: “We use this information to offer and improve our services, trouble shoot, and to improve our marketing efforts.” 

One big change that ConsumerAffairs found to be more consumer-friendly was dispensing with the laundry list of bullet points and paragraphs detailing its privacy policy and going with a table where the company laid out a far more understandable portrayal of what data it collects, examples, and how it uses that information. You can find the company’s revamped privacy policy on its website here.

As the spread of COVID-19 forced the world to start hunkering down from home and using technology like videoconferencing to hold virtual meetings, religiou...
Read lessRead more

More than 50 malicious children’s and utility apps found on Google Play

Google has removed the apps, but Android users need to double-check their phones to see if they’ve downloaded any of the culprits

While the world is trying to find a way to stave off the coronavirus, there’s a new digital lowlife set on upending the lives of Android users.

Security researchers have identified a new, interconnected malware “family” that was operating in 56 applications on the Google Play store. The apps in question were downloaded close to 1 million times worldwide.

“Although Google has taken steps to secure its Play store and stop malicious activity, hackers are still finding ways to infiltrate the app store and access users’ devices,” cyber threat intelligence firm Checkpoint said

“Millions of mobile phone users have unintentionally downloaded malicious apps that have the ability to compromise their data, credentials, emails, text messages, and geographical location.”

The attack mode

Checkpoint believes the goal of this digital dastard -- aka “Tekya” -- is mobile ad fraud. Once in a user’s system, it mimics an app user’s actions and secretly clicks on ads and banners within an app.

Ad fraud can be committed in many ways -- from faking the number of installs of a certain app to generating views or impressions that never took place -- all in hopes of hoodwinking an advertiser into buying ads on apps that the people behind Tekya are somehow connected to.

What are the apps and what should you do?

Of the 56 affected apps, Checkpoint says 24 of them are children’s games -- e.g. “Cooking Delicious” and “Race in Space.” Another 32 are utility apps for things like weather and translation. A complete list is available on Checkpoint’s website.

Consumers who want to protect themselves from this malicious scheme should search for any of the suspicious apps are on their phone and take the following recommended steps:

  1. Uninstall the infected application from the device

  2. Install a security solution to prevent future infections

  3. Update your device Operation System and Applications to the latest version

Google has yanked the suspicious apps from its app store to protect its user base. However, if the past is any indication, the odds are good that more digital cockroaches will find another way to use Google Play as an inroad to do their dirty work. 

Going forward, Ravie Lakshmanan at TheHackerNews offered what ConsumerAffairs thinks is sound advice for Android users. 

“To safeguard yourself from such threats, it's recommended that you stick to the Play Store for downloading apps and avoid sideloading from other sources,” Lakshmanan wrote. “More importantly, scrutinize the reviews, developer details, and the list of requested permissions before installing any app.”

While the world is trying to find a way to stave off the coronavirus, there’s a new digital lowlife set on upending the lives of Android users.Security...
Read lessRead more

MGM Resorts data on over 10 million guests found on the dark web

The company says payment details were not compromised

Hackers who seized personal data from more than 10 million guests at MGM Resorts last year are now trying to cash in by selling that information to the highest bidders.

Technology publisher ZDNet reports that it found personal details on the breach victims listed on a hacking forum this week. The information includes personal and contact information on guests, including well-known celebrities and business executives.

ZDNet said it has independently verified that the information seen online is authentic.

“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts”, a company spokesman said in a statement to the media. People compromised by the hack have been notified, the company said.

MGM Resorts said it has contracted two cybersecurity forensic investigative companies to help the company fully understand how the security breach occurred. It said it has also begun beefing up its network security to prevent future intrusions.

Data breaches are racking up

The spokesman said the leaked data did not include payment information, which was included in recent hacks of convenience store chains Wawa and Rutters. The Wawa hack, affecting 30 million customers, was reported in December. By late January, much of the data was for sale on the dark web.

Hackers began advertising the card data for sale on sites known to be used by hackers. Experts at Gemini Advisory, a threat intelligence firm, said the source of the card data was confirmed as coming from Wawa.

Hackers have been able to make a handsome profit when they market stolen data on the dark web, but the sheer volume of this information has made it more difficult to find buyers in recent years.

Late last year, researchers came across a huge collection of data on a poorly guarded server and notified authorities before it could be compromised. The data belonged to consumers in Canada, the U.K., and the U.S. and included phone numbers and social media profiles. Social Security numbers, passwords, and credit card numbers were not found.

Hackers who seized personal data from more than 10 million guests at MGM Resorts last year are now trying to cash in by selling that information to the hig...
Read lessRead more

Hackers lived inside of Citrix’ network for five months, the company confirms

Information from many of the nation’s top companies may have been up for grabs

A new story about Citrix Systems proves that no one is safe from hackers and digital con artists.

One would think that a software company known for networking, software as a service (SaaS), and cloud computing might be super vigilant. But, it appears that no person or company is immune. Citrix has confirmed that some nasty hackers were roaming through its networks for five months between 2018 and 2019, grabbing the financial and personal data of Citrix employees, contractors, and even interns and dependents of employees. 

The company says the hackers may have also made off with Social Security Numbers, other tax ID numbers, driver’s license numbers, financial account numbers, payment card numbers, passport numbers, and health claims information like provider names and dates of service.

It took Citrix almost a year to come clean about the intrusion. In a February 10, 2020 letter to those who may have been affected, Citrix divulged that the attackers “had intermittent access” to Citrix’s internal network between Oct. 13, 2018 and Mar. 8, 2019. However, it stated there was zero evidence that hackers remained in the company’s systems.

Why a letter? Actually, there’s a law in most U.S. states that requires any company to notify affected customers about hacking incidents. Citrix’s letter was prompted by laws in virtually all U.S. states that require companies to notify affected consumers of any incident that may have compromised their personal data. Plus, the Federal Trade Commission (FTC) has an additional breach notification rule for any business that collects health-related information.

Password spraying

Rewinding back to March, 2019, Krebs on Security reports that the Federal Bureau of Investigation (FBI) alerted Citrix about the potential incursion, saying that the hackers probably got into Citrix’ networks using a technique called “password spraying.” 

Password spraying is an attack mode that tries to make its way into large databases of usernames by using a few commonly used passwords, such as “Password1.” The reason that technique is used is because it allows the hacker to remain hidden and avoid account lockouts.

A new story about Citrix Systems proves that no one is safe from hackers and digital con artists.One would think that a software company known for netw...
Read lessRead more

Ring adds more security features following data breach

Users will need to enable two-factor authentication to use the service

Users of the Ring video doorbell are likely seeing a new update from the company that seeks to update and improve the device’s security. 

The company announced this week that it was adding more security measures to users’ accounts to ensure that they stay protected from hackers and other malicious actors. The move follows a massive breach that allowed hackers to steal sensitive information and control the devices of more than 3,600 device owners. 

“At Ring, our mission is to make neighborhoods safer and we strive to give our customers the peace of mind that comes from knowing their homes are more secure. Delivering you privacy, security and control are foundational to achieving our mission,” the company stated. 

“That’s why we’re listening to what you, our customers, are saying and taking additional steps to help you feel confident that your home and personal information are safe when you use our products.”

Mandatory two-factor authentication

Under its new privacy stance, the company is requiring all users to enable two-factor authentication. It says the new level of security will be required when users log in to their accounts and will help verify that hackers haven’t improperly gained access. 

The process works much like any other two-factor authentication system. When users attempt to log in to their device, a six-digit code will be sent to their phone or another device that will be needed to gain access. 

Additionally, the company says it will be keeping another new security feature implemented in December that alerts users every time someone tries to log in to their account. The idea is that users will quickly be able to recognize if someone is targeting their Ring account so that the issue can be resolved and reported quickly.

Security recommendations

In its announcement, Ring also provided a list of best security practices that it says will help keep users’ accounts secure. The list follows:

  • Don’t reuse passwords between your various online accounts – instead, generate unique, strong passwords for each account.

  • Keep your phone numbers and email addresses up to date on your various online accounts.

  • Add a PIN or passcode to your smartphone account to help prevent unauthorized changes to your mobile account. You can do this by logging into your mobile phone account or calling your wireless carrier.

  • Upgrade to the latest version of your apps and operating systems, including the latest Ring apps.

  • View and manage your trusted devices in your “Authorized Client Devices” section of Control Center on your Ring app.

  • Add Shared Users to your Ring account instead of sharing your login credentials. You can also view and manage Shared Users in Control Center.

Users of the Ring video doorbell are likely seeing a new update from the company that seeks to update and improve the device’s security. The company an...
Read lessRead more

Rutter’s convenience store chain reports data breach

The details are similar to the hack of Wawa’s payment card system

Rutter's, a chain of convenience stores and gas stations with 72 locations in central Pennsylvania, West Virginia, and Maryland, has reported details of a data breach that exposed customers’ payment card information.

The breach is disturbingly similar to one that victimized Wawa, another convenience store chain. That breach was announced in December and affected nearly 30 million consumers.

“On January 14, 2020, the investigation identified evidence indicating that an unauthorized actor may have accessed payment card data from cards used on point-of-sale (POS) devices at some fuel pumps and inside some of our convenience stores through malware installed on the payment processing systems,” Rutter’s said in a statement. 

Similar methods

In the Wawa incident, a team of security investigators found malware on the company’s payment processing servers on December 10 and contained it two days later. The malware was able to capture payment card data from cards used in gas pump card readers as well as in point of sale terminals inside the stores.

The Rutter’s announcement suggests that the hackers were using the same or very similar method. Investigators say the malware found on Rutter’s servers searched for tracking data and read from a payment card as it was being routed through the payment processing systems. But not all cards used at the stores may have been compromised.

“Chip-enabled (EMV) POS terminals are used inside our convenience stores.  EMV cards generate a unique code that is validated for each transaction, and the code cannot be reused,” the company said. “As a result, for EMV cards inserted into the chip-reader on the EMV POS devices in our convenience stores, only card number and expiration date were involved.”

It also appears that the malware did not copy data from all of the payment cards used during the time it was on the company’s network. What’s clear, the company said, is that this hack was a sophisticated operation and not the result of a handheld "skimmer" being placed on a Rutter's fuel pump. 

New way to steal data

Visa warned in December that this type of hack was becoming more common. Over the summer, Visa said it found that “threat actors” had stepped up their game when it comes to stealing consumers’ payment card information. 

The scammers target merchant employees through the use of phishing emails. If someone clicks on an email link, they download malware that infects the entire network. Once inside the company’s system, it has no need to use risky and “low-tech” gas pump skimmers to steal payment card information.

As for the Rutter’s hack, the company says the specific timeframes when data from cards used at the locations involved may have been accessed vary by location. But the malware could have been capturing data at some locations from October 1, 2018 through May 29, 2019.

Consumers who used a payment card to make purchases at Rutter’s between those dates should carefully monitor statements and inform their bank or credit card issuer. Those companies may or may not choose to issue new cards.

Rutter's, a chain of convenience stores and gas stations with 72 locations in central Pennsylvania, West Virginia, and Maryland, has reported details of a...
Read lessRead more

U.S. security officials say Huawei can secretly access telecom networks

The biggest risk might be faced by consumers in smaller markets where regional telcos use Huawei because it’s ‘good and cheap’

U.S. security officials say they have cold, hard evidence that Chinese tech firm Huawei has backdoor access to mobile-phone networks. They allege that no one, no matter where they live, is out of Huawei’s reach.

"We have evidence that Huawei has the capability secretly to access sensitive and personal information in systems it maintains and sells around the world," U.S. National Security Adviser Robert O'Brien said in a new Wall Street Journal report.

The push for and against Huawei

The White House and Congress have been at odds over Huawei. While lawmakers tried to limit Huawei’s U.S. footprint, the Trump administration reversed its original concerns and wanted Congress to back off a bit. However, just last month, the administration appeared to change its tune and put heat on European nations to leave Huawei out of any and all of their tech plans.

But Europe didn’t heed Trump’s advice, and both the United Kingdom and Germany moved forward with Huawei, albeit with some restrictions.

That move got the goat of Rep. Jim Banks (R-IN), so he introduced a bill that would bar the United States from sharing intelligence with any country that permits Huawei to operate inside its networks.

“Huawei is a Trojan Horse for the Chinese Communist Party to spy on and infiltrate other nations. Our allies must choose: Adopt Huawei and lose access to U.S. intelligence, or remain our trusted partner,” Banks said in a statement.

Over at the Senate, Senator Tom Cotton (R-AR) started the anti-Huawei ball rolling as well. 

"The United States shouldn't be sharing valuable intelligence information with countries that allow an intelligence-gathering arm of the Chinese Communist Party to operate freely within their borders,” Cotton wrote. “I urge our allies around the world to carefully consider the consequences of dealing with Huawei to their national interests."

Is Huawei a bad actor?

The biggest issue U.S. officials have had with Huawei is their claim that it can clandestinely access mobile and computer networks via networking gear that it sells to telcos. U.S. officials told the Journal that Huawei’s antics have been on their radar since 2009. Despite that knowledge, the officials the Journal spoke to "declined to say whether the US has observed Huawei using this access."

As expected, Huawei said prove it. “If they believe there’s a backdoor, they should offer evidence to prove it,” Liang Hua, Huawei’s chairman, said at last year’s World Economic Forum.

Are U.S. consumers out of harm’s way?

In ConsumerAffairs’ research on the who, what, and where of this case, we found a multitude of telcos that use Huawei equipment. FierceWireless’s latest report counted as many as 200,000 consumers across the U.S. as mostly getting their service from small and regional telcos that use Huawei equipment. Those telcos serve customers in Western Kentucky, Western Tennessee, Western Colorado, South Dakota, Nebraska, Western Kansas, Northeast Colorado, Montana, Utah, Idaho, and Northwest Dakota

“Why are so many smaller U.S. wireless companies working with Huawei, even after a 2012 government report warned that equipment from Huawei and ZTE could be used by the Chinese government for espionage?” asked FierceWireless’ Tom Dano. “That’s simple: Huawei equipment is apparently good and cheap.”

“It’s hard not to link all the current noise over Chinese threats to national security back to Trump’s brewing trade war with the country,” Dano said. “It seems clear that (the larger telco) companies like ZTE and Qualcomm are probably being used as chess pieces in a broader game.”

“And if that’s the case, (smaller, regional telco) companies like United TelCom, Viaero, and NE Colorado Cellular might need to prepare themselves to enter a chessboard where they will probably serve as pawns, not queens.”

U.S. security officials say they have cold, hard evidence that Chinese tech firm Huawei has backdoor access to mobile-phone networks. They allege that no o...
Read lessRead more

The U.S. accuses China of carrying out the 2017 Equifax data breach

Four members of the Chinese military have been indicted for the largest breach in history

Attorney General William Barr has announced the indictment of four members of China’s military for the 2017 Equifax data hack that exposed sensitive information on nearly 150 million people.

The government investigation found that the data breach was part of a massive attack that also stole trade secrets from Equifax. Barr called it a “deliberate and sweeping intrusion” into the private information of the American people.

“We collect information only for legitimate national security purposes; we don’t indiscriminately violate the privacy of ordinary citizens,” Barr said. 

This isn’t the first time China has been accused of a cyberattack on a U.S. data network, but it has always denied the accusations. The Chinese government has yet to comment on the latest charges.

Nine-count indictment

A federal grand jury in Atlanta returned the nine-count indictment against the Chinese nationals who the government says were working for the People’s Liberation Army. They are charged with breaking into Equifax’s online dispute portal by exploiting a major software flaw.

The 2017 data breach caused widespread havoc among the consumers whose information was stolen. Since Social Security numbers were part of the theft, it requires life-long credit monitoring to guard against a victim’s identity being stolen.

Equifax, meanwhile, faced a barrage of lawsuits and has paid out millions of dollars in settlements, the latest coming last summer when the company settled claims by the U.S. government and 48 states.

“It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government,” said Equifax CEO Mark Begor. “The attack on Equifax was an attack on U.S. consumers as well as the United States.”

Begor said Equifax has made significant progress in protecting data since the hack. He says the company has invested $1.25 billion since 2018 on beefed-up security and technology.

Attorney General William Barr has announced the indictment of four members of China’s military for the 2017 Equifax data hack that exposed sensitive inform...
Read lessRead more

Consumers continue to worry most about safeguarding personal data, study finds

California’s new data privacy law is a good start, but there’s little things consumers can do on their end

As consumer privacy continues to seemingly spin out of control, a new study shines some interesting light on which consumers are the most concerned and what exactly they’re concerned about.

In the throes of Data Privacy Month, Viber, a messaging and calling app, went on a mission to find those things out. Here’s what it uncovered in that survey.

Consumer privacy concerns

When asked what their biggest privacy concern is in 2020...

  • One-third of consumers (33 percent) said their #1 concern was safeguarding their data. Breaking down that metric a bit more, nearly half of women (47 percent), but only three in 10 men (28 percent), expressed that concern.

  • Members of Generation Z (the generation of people born in the late 1990s and early 2000s) are the least concerned demographic when it comes to privacy and safeguarding their data.

    • Viber’s study showed that 3 in 10 Gen Z’ers (30 percent) are not concerned about privacy this year, compared to millennials (17 percent) and baby boomers (13 percent).

    • Baby boomers (42 percent) are most concerned about safeguarding their data this year, compared to millennials (25 percent) and Gen Z’ers (22 percent).

  • Consumers are more worried about tax identity theft (8 percent) than government surveillance (6 percent), social media breaches (5 percent) and online impersonation attempts (3 percent).

    • Men (7 percent) are more concerned about government surveillance than women (4 percent).

Steps consumers can take to safeguard their data

“With data breaches increasing by 17 percent in 2019, it comes as no surprise that one-third of consumers (33 percent) say that their biggest privacy concern in 2020 is safeguarding their data,” Debbi Dougherty, Head of Communications, Rakuten Viber, told ConsumerAffairs.

“For too long, irresponsible tech companies and social media platforms have been taking advantage of, mishandling and downright not disclosing how they intend to use our data. While the California Consumer Privacy act that went into effect at the beginning of this year is a win for consumers in the fight for privacy in that state specifically, there are still things all consumers can do to go the extra mile in helping to protect themselves and their data.”

What are the best steps consumers can take? Dougherty laid out three for ConsumerAffairs:

  1. Be mindful of the apps you use. Check to see if apps where more private information is typically shared, like messaging platforms, are end-to-end encrypted. If they are, it means the company behind the app you’re using can’t read your personal chats or serve you ads based on private conversations -- thus ensuring your data is kept private.

  2. Use better passwords. Simply put, one of the best things you can do is avoid reusing the same password across multiple accounts. While that piece of advice may sound like common sense, another recent report shows that more than half  (51 percent) of Americans admit to reusing passwords/PINs across multiple accounts. Poor privacy habits like this make it easier for hackers to gain entry into multiple accounts, thus putting consumers’ data privacy at a greater risk.

  3. Don’t neglect your device’s privacy updates. Don’t ignore them. If a company sends out a privacy update, take the time to read it and educate yourself on the changes. One of the best ways to protect your data is to be aware of what it is being used for when you create a new account with a social platform. While this may seem tedious and time consuming, you will be better off for it in the long run.

As consumer privacy continues to seemingly spin out of control, a new study shines some interesting light on which consumers are the most concerned and wha...
Read lessRead more

Twitter issues apology for hack of 17 million users’ phone numbers

The platform says hackers from Iran, Israel, and Malaysia could be the perpetrators

Attackers have exploited Twitter in a gigantic grab-and-go that included the personal phone numbers of as many as 17 million users

Twitter came clean on Monday about a December hack job that exploited its API (application programming interface) by matching usernames with phone numbers via its “Let people who have your phone number find you on Twitter” option. Those who didn’t have that setting enabled lucked out, and their phone number wasn’t exposed. 

"We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it,” the company confessed.

State-sponsored actors?

While the accounts associated with the hack were from a “wide range of countries,” Twitter’s investigation found that “a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia.” The platform says it’s possible that some of those addresses “may have ties to state-sponsored actors” and that it was disclosing that information “out of an abundance of caution and as a matter of principle.”

The Jerusalem Post says its investigation of the matter leads it to believe that former Israeli intelligence agents have found ways to gain backdoor access not only to Twitter, but a variety of social-media platforms. However, the Post stopped short of saying with certainty that agents used the techniques while they were employed by Israeli intelligence. 

“There have been numerous reports that top intelligence agencies, including American ones, are sometimes able to use such techniques,” it wrote.

Make sure you’re protected

While Twitter didn’t say why it waited more than a month to go public with the phone number swindle, it did say that it made changes to users’ phone number options in hopes that a similar heist won’t happen again. 

“We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day. You can reach out to our Office of Data Protection through this form if you have questions.”

Twitter users can double-check to make sure their phone numbers and personal emails are safe from prying eyes. According to HackerNews, all it takes is navigating to the 'Discoverability' setting in a user’s Twitter account and disabling it.

Attackers have exploited Twitter in a gigantic grab-and-go that included the personal phone numbers of as many as 17 million users. Twitter came clean...
Read lessRead more

Data breaches were more common in 2019, report finds

While fewer files were exposed, experts say the trend is ‘a serious issue’

The 2019 year-end report on identity crime is out, and the results aren’t very encouraging from a consumer standpoint.

A quick thumbnail of the findings shows that the number of U.S. data breaches tracked in 2019 (1,473) increased 17 percent from the total number of breaches reported in 2018 (1,257). While fewer personal records were exposed overall year-over-year, it’s important to note that 2018 would have had nearly half of the number of exposures as 2019 if the 2018 Marriott data breach never happened. That breach exposed approximately 383,000,000 records on its own.

The report comes from the Identity Theft Resource Center (ITRC), a non-profit organization established to support victims of identity crime.

Here’s how 2019 shakes out compared to 2018:

Sector2019 Total Breaches2019 Sensitive Records Exposed2018 Total Breaches2018 Sensitive Records Exposed
Business64418,824,975575438,952,056
Medical/ Healthcare 52539,378,15736910,632,600
Government/ Military833,606,11410018,447,92
Banking/ Credit/ Financial108100,621,7001251,778,658 
Education1132,252,439781,414,624

“The increase in the number of data breaches during 2019, while not surprising, is a serious issue,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “The 2019 reporting year sees a return to the pattern of the ever-increasing number of breaches and volume of records exposed… (meaning) that more consumers are becoming victims.”

The impact on consumers

In ConsumerAffairs breakdown of the report, there were a number of caution signs that consumers need to understand and steps they can take to protect their data. The authors make note of several areas that consumers should focus on:

Convenience in banking and purchasing continues to enable data breaches and unsecure data. “Consumers/ businesses want ease of access to their data and frictionless transactions. Greater security measures often mean creating barriers to accessing data – which means more hoops to jump through and delays in completing a transaction. Shortcuts to strong security create a vulnerability that is easy to exploit, such as default security tools that do not force an automatic configuration update upon installation or easy-to-use/duplicated usernames and passwords,” the report states.

Consumers have to do their part. “Frictionless engagement (an example being a cashierless store that allows consumers to select merchandise from a shelf and walk out of the store without stopping at a checkout stand), doesn’t equal consumer-first security,” the report warned. 

“Every time a consumer requests convenience over a more secure engagement, it creates an environment where hackers and bad actors have fewer obstacles to getting to their payday. Consumers that continue to value convenience over security place their data in the cross-hairs. Consumers need to evaluate whether the additional convenience of faster access outweighs the increased security that additional measures provide. Does that extra couple of seconds mean more to you than the knowledge that your data is less accessible to ne’er-do-wells looking to profit from your PII (Personally identifiable information)?”

Consumers aren’t using the protection tools available. “Lastly, consumers have tools available to them but don’t dismiss the warning signs,” the report admonished. “Got a notification letter that your data was exposed? Don’t toss it aside and ignore it. See a news story about a breach in the news regarding a company with which you do business? Go get more information to see what you may need to do to minimize your risks.”

Consumer resources to improve identity protection

Identity protection tools are one of those things that you don’t know you need until you really need them. And if your personal information gets compromised, spending as little as $7 a month for an extra layer of protection is well worth the expense.

To that end, ConsumerAffairs has produced a guide on identity theft protection to help consumers navigate the various services and find one that best suits their needs. While it’s not identity theft protection service, per se, the ITRC has also created an app that can help keep consumers in the loop as to breaches that are occurring and tips on improving identity protection. It’s available here.

The 2019 year-end report on identity crime is out, and the results aren’t very encouraging from a consumer standpoint.A quick thumbnail of the findings...
Read lessRead more

E-scooters present security and privacy risks for owners, study finds

Researchers say the products are prime targets for hackers

E-scooters are becoming more popular among consumers, especially those who live in urban areas and value their high mobility. But a recent study shows that these devices have their drawbacks when it comes to security. 

Researchers from the University of Texas at San Antonio say that hackers can easily target e-scooters to mine for personal information or actively interfere with how the product works in real time.

"We've identified and outlined a variety of weak points or attack surfaces in the current ride-sharing, or micromobility, ecosystem that could potentially be exploited by malicious adversaries right from inferring the riders' private data to causing economic losses to service providers and remotely controlling the vehicles' behavior and operation," said assistant professor Murtuza Jadliwala.

Data leaks

According to the researchers, there are many angles from which hackers can attack e-scooters. Perhaps one of the most invasive ways is to go after a rider’s smartphone by delving into the Bluetooth connection that often links these devices with the internal e-scooter systems. This can compromise a trove of information, including preferred routes, home and work locations, and other sensitive data.

Companies who maintain and rent out e-scooters can also give hackers a way to access consumers’ personal information. The research team says that the billing information each business collects as part of a rental transaction can be up for grabs if it isn’t properly encrypted. The risk of a data leak or denial-of-service attack can also become high if proper protections aren’t in place.

"Cities are experiencing explosive population growth. Micromobility promises to transport people in a more sustainable, faster and economical fashion," said Jadliwala. "To ensure that this industry stays viable, companies should think not only about rider and pedestrian safety but also how to protect consumers and themselves from significant cybersecurity and privacy threats enabled by this new technology."

The team’s full study is being presented at AutoSec 2020.

E-scooters are becoming more popular among consumers, especially those who live in urban areas and value their high mobility. But a recent study shows that...
Read lessRead more

Latest Microsoft leak left 250 million customer records exposed

The company says it has fixed the problem

If Microsoft didn’t have enough on its plate with malware and the overall mess that came out of Windows 10, then it probably does now. A new report indicates that 250 million of its customers’ records have been exposed online. Why? Because Microsoft left the gateway to those records password-unprotected.

Those quarter-million records span nearly 14 years and contain logs of conversations that Microsoft tech support agents had with consumers, according to Comparitech, a pro-consumer website focused on researching and comparing tech services. Comparitech says it “stumbled” upon the databases and that they could have been accessed by anyone with a web browser.

“The nature of the data appears to be that much of the personally identifiable information was redacted,” commented Paul Bischoff, a tech writer, privacy advocate, and VPN expert at Comparitech.

“However, the researchers say that many contained plain text data including customer email addresses, IP addresses, geographical locations, descriptions of the customer service and support claims and cases, Microsoft support agent emails, case numbers and resolutions, and internal notes that had been marked as confidential.”

Microsoft quickly responds

To the untrained eye, this may seem like another ordinary oops from Microsoft, “but when you consider that Microsoft support scams are pretty rampant, it doesn't take a genius to work out how valuable such information would be to the fraudsters carrying out such attacks,” Bischoff said.

Comparitech says it contacted Microsoft when it happened upon the issue. Within 24 hours, the company fixed the situation and analyzed the data to make sure all was ok. It also said it contacted any consumer whose data may have been purloined. 

“We’re thankful to (Comparitech) for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate,” Eric Doerr, General Manager at Microsoft, told ConsumerAffairs.

Microsoft couched the incident as one of those “misconfigurations [that] are unfortunately a common error across the industry.” While that may be true, the company is reminding its customers that they should periodically review their computer settings to make sure they’re putting all available protections to good use.

To its credit, the company has been very proactive in that regard. The latest protection comes with the latest version of Microsoft Edge and Bing which, supposedly, gives users more control over their personal data and more transparency into what information is being collected by websites or advertisers.

If Microsoft didn’t have enough on its plate with malware and the overall mess that came out of Windows 10, then it probably does now. A new report indicat...
Read lessRead more

Reuters: Apple agreed to FBI request to drop plan for extensive encryption

Sources say the tech giant has a closer relationship with law enforcement than in the past

Apple has tangled with the FBI on some occasions over refusing to unlock suspects’ iPhones. But an investigation by Reuters claims the company shelved plans to let customers fully encrypt the backups of their devices when the FBI objected.

Reuters cites six sources for its story. The news agency says Apple declined to comment, and the FBI did not respond to news media requests for comment.

The Reuters report suggests Apple is now much more willing to aid law enforcement in gaining evidence against suspects, especially in cases involving violence and terrorism. While Apple has been a staunch defender of user privacy, law enforcement has called on the company to help bring criminals to justice.

Last week, Attorney General William Barr called on Apple to remove encryption from two iPhones used by a Saudi Air Force officer who shot and killed three Americans at a Pensacola, Florida naval base last month.

In congressional hearings, lawmakers from both sides of the aisle have criticized the tech giant for preserving encryption on the accounts of people suspected in human trafficking and carrying out crimes against children.

2015 terrorist incident

Apple’s conflict with law enforcement burst into the open following the December 2015 terrorist attack in San Bernadino, Calif. One of the shooters had an iPhone, and the FBI asked Apple to unlock it so law enforcement could see if the attack was part of a wider operation. Apple refused.

The government took Apple to court to force the company to unlock the phone but later withdrew the complaint after it found an expert who was able to unlock the phone.

Since then, Apple and law enforcement have apparently had a less adversarial relationship. The Reuters report says Apple informed the FBI two years ago that it planned to launch end-to-end encryption when storing iPhone data on iCloud.

That meant Apple would no longer have the ability to unlock users’ encrypted data, so it would not be able to assist law enforcement in gaining access to suspects’ phones, even if it wanted to.

Reuters reports that the FBI objected to the plan, warning Apple that the move would prevent law enforcement from protecting the public from criminals who used iPhones to communicate. According to sources, Apple dropped the encryption plan the following year.

Apple has tangled with the FBI on some occasions over refusing to unlock suspects’ iPhones. But an investigation by Reuters claims the company shelved plan...
Read lessRead more

Hackers collect and publish thousands of smart device login credentials

The breach underscores the importance of securing your smart home devices

How secure is your smart home? It’s a question you might be asking after a hacker has published a list of Telnet logins for a half-million servers, as well as home routers and smart devices, sometimes referred to as the Internet of Things (IoT).

Telnet is an application protocol used on an internet network to provide text-oriented communication abilities using a virtual terminal connection.

According to tech site ZDNet, the hacker published the list on a hacker forum and included each device’s IP address, along with the username and password, potentially giving readers easy access to the compromised device.

That information can be used to take remote control of the compromised devices. Computers can be used to send out millions of spam emails. Smart devices, such as thermostats and garage door openers, can be used to carry out denial of service attacks on websites, making them inaccessible for short periods of time.

Denial of service attack

In 2016, hackers took control of millions of smart devices around the world to carry out such attacks against major websites, such as Amazon, Netflix, and Twitter.

Dyn, the sites' common DNS provider, conducted an investigation that showed that many of the compromised smart devices had been infected with a malware called Mirai, which is a botnet. This attack was directed at Dyn, but the threat to individual consumers is just as possible and, in many ways, more invasive. 

A year later, security software firm Trend Micro reported a steady increase in the number of attacks on smart appliances, interfering with individuals’ use of their lights, home security systems, thermostats, and even TVs and baby monitors.

The hacker who published the latest list said the login credentials were easy to come by because they had either not been changed from the factory default or had been changed to easy-to-guess passwords like “1-2-3-4.”

How to protect yourself

There are steps consumers should take to protect their smart devices and any device that connects to the internet. Norton Security reports the threat is much more personal than simply allowing your device to be taken over and used by a hacker.

It notes that smart devices in the home are data collectors and the personal information collected and stored with these devices, such as your name, age, health data, location and more, can aid criminals in stealing your identity.

You can protect yourself by installing reputable and highly rated internet security software on your computers, tablets, and smartphones. Use strong and unique passwords for device accounts, Wi-Fi networks, and connected devices. 

Also, do some research when you are shopping for a smart device. These devices collect a lot of personal data. While collecting data isn’t necessarily a bad thing, you should know about what types of data these devices collect, how it’s stored and protected, if it is shared with third parties, and the policies or protections they offer in the event of a data breach.

How secure is your smart home? It’s a question you might be asking after a hacker has published a list of Telnet logins for a half-million servers, as well...
Read lessRead more

Facebook pledges to stop using phone numbers for friend suggestion feature

The company is making the move following a $5 billion fine from the FTC

Facebook says it will no longer use phone numbers gathered via two-factor authentication to drive its friend suggestion feature.

Reuters cites company officials as saying that the decision is driven by the desire to overhaul the platform’s privacy practices. Facebook has faced mountains of criticism over how it handles users’ data, from the Cambridge Analytica scandal to how it uses facial recognition. Other privacy headaches eventually led the Federal Trade Commission to levy a $5 billion fine against the company.

The move away from using two-factor authentication for user data purposes will reportedly start this week in five countries -- Ecuador, Ethiopia, Pakistan, Libya, and Cambodia. Plans to expand it globally will begin in early 2020. 

However, the policy change will only affect new users to the site, not those who are already signed up. Reuters notes that those who want to deactivate the function can unlink their two-factor authentication numbers from the friend suggestion feature and then add them back in.

Antitrust concerns

While Facebook has already caught the ire of regulators from several different agencies, it may not be out of the woods yet. 

The FTC announced earlier this month that it will be opening up an antitrust investigation into the platform as part of a larger examination of the role of Big Tech companies in the U.S. Specifically, FTC officials will be seeking to find out if Facebook’s attempt to integrate several of its holdings will eventually make it too big to break up.

For more information about Facebook, including reviews by consumers, readers can visit ConsumerAffairs page here.

Facebook says it will no longer use phone numbers gathered via two-factor authentication to drive its friend suggestion feature.Reuters cites company o...
Read lessRead more

Wawa discloses massive data breach that began nine months ago

The convenience store chain says payment card data may have been exposed at all locations

Wawa, which operates hundreds of convenience stores along the East Coast, has reported details of a payment card data breach lasting nine months and potentially affecting all locations.

Consumers who used a credit or debit card at a Wawa location after March 4 may be exposed. In a statement, the company said the breach potentially exposed card numbers, expiration dates, and cardholders’ names.

Wawa says its security team found the malware on the company’s payment processing servers on December 10 and contained it two days later. The company says it brought in a forensics firm whose investigators determined that the malware began running at different times after March 4. 

Consumers face no liability

Wawa CEO Chris Gheysens apologized to customers and said the company believes the malware no longer poses a risk.

"Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers,” Gheysens said. “I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident.”

Wawa customers who used a payment card at any location in the last nine months should carefully examine their bank and credit card statements during that time for unauthorized charges. 

Customers should also notify the fraud departments of their card issuers to tell them the card was used at Wawa and may be potentially compromised. The institution may decide to issue new cards as a precaution.

Free credit monitoring

Wawa said it is offering identity protection and credit monitoring services at no charge to affected customers. You’ll find information about signing up here.

The company did not say -- and may not know -- how the system was breached. But as we reported earlier this week, fraudsters attacking gas pumps have become more sophisticated, using email phishing schemes to trick employees into downloading malware, which then makes its way to the card processing network.

When a customer buys gas with a credit card, the point-of-sale system sends the unencrypted data to the company’s main network where the scammer’s software is waiting to capture it. In issuing a warning, Visa said many companies make it easier for thieves by not walling off this data from the rest of the network.

Wawa, which operates hundreds of convenience stores along the East Coast, has reported details of a payment card data breach lasting nine months and potent...
Read lessRead more

Homeland Security rolls back its expansion of facial recognition

Travelers have the little-known right to opt out of the biometric process and use their passport instead

Facial recognition has become a rather touchy subject. Earlier this year, a $35 billion class action lawsuit was filed against Facebook over claims that it harvested consumer biometric data without consent. In San Francisco, the subject is so ripe that the city is considering banning all facial recognition technology within city limits. 

The U.S. government thinks it’s a touchy subject, too. First, the Federal Trade Commission (FTC) explored facial recognition and recommended that certain companies “provide consumers with an easy-to-use choice not to have their biometric data collected and used for facial recognition.” Now, the Department of Homeland Security (DHS) is following suit by rolling back its intended expansion of facial recognition in a renewed commitment to protecting traveler privacy.

The changes

Currently, by law, Customs and Border Patrol* (CBP) is required to biometrically record foreign nationals’ entry to and departure from the United States. That mandate came out of the 9/11 Commission, which decided that a system like that was “an essential investment in our national security.” (*U.S. Customs and Border Protection is the DHS agency that manages, controls, and protects U.S. borders at ports of entry.)

But on the consumer side of the privacy ledger, going that far may have been overarching. After three face-to-face meetings with privacy experts to determine how far is too far in using “biometric facial comparison” process at U.S. ports of entry, DHS has made four key moves in what it says is the best interest of the traveler. These include:

  • Reducing the maximum period it retains new photos of U.S. citizens from 14 days to 12 hours; 

  • Establishing rigid requirements which guarantee that airlines and other travel-related partners do not retain traveler photos for their own business purposes;

  • Working with all travel-related partners to give travelers adequate privacy notice by improving the signage and announcements at departure gates; and

  • Publishing 10 Privacy Impact Assessments to let the public know how DHS will collect, use, and store any and all personally identifiable information that’s part of the biometric process.

“CPB is committed to keeping the public informed about our use of facial comparison technology,” commented John Wagner, Deputy Executive Assistant Commissioner of the CBP Office of Field Operations. “We are implementing a biometric entry-exit system that protects the privacy of all travelers while making travel more secure and convenient.”

Potential to expose consumer data

While DHS’ intentions seem to be all well and good, security experts say that the potential for exposing personal data still looms large when it’s in the government’s hands.

“Despite these efforts, the government’s collection of its citizens’ biometric identity data is troubling for many especially since agencies already have mishandled the security of stored data,” writes ThreatPost’s Elizabeth Montalbano.

“In June, for instance, a data leak at the CBP exposed photos of the faces and license plates for more than 100,000 travelers that passed through checkpoints on the U.S.-Mexican border. The Office of Personnel Management also experienced a significant data breach in 2015 that resulted in the theft of fingerprint data of 5.6 million people.”

Should consumers be concerned?

Is facial recognition so hot of a potato that consumers need to run as fast and as far away from it as they can? When we put the privacy concerns question to David Chen, Co-Founder and Director of Engineering at Orbbec, he said no.

“Now, with the assistance of 3D camera technology, the accuracy of facial recognition has been dramatically improved and is capable of handling financial-grade security to make your devices more secure,” Chen told ConsumerAffairs. 

“While some people may still hold serious privacy concerns, actually they can rest assured knowing that all the face data will be stored as encrypted mathematical models and any applications that use facial recognition software will only be able to keep that encrypted data locally to ensure maximum privacy protection.”

If that’s not enough to put you at ease, consumers should know that they have the right to opt out of the biometric facial comparison process, and all it takes is notifying a CBP officer or airline representative. In lieu of that, anyone who opts out does have to present their passport for visual inspection.

Facial recognition has become a rather touchy subject. Earlier this year, a $35 billion class action lawsuit was filed against Facebook over claims that it...
Read lessRead more

Security firm finds cache of birth certificate applications exposed online

The data reportedly had no password protection and an ‘easy-to-guess’ web address

An online company that enables U.S. residents to obtain a copy of their birth certificate has exposed nearly 800,000 applications, according to Fidus Information Security

“More than 752,000 applications for copies of birth certificates were found on an Amazon Web Services (AWS) storage bucket,” according to TechCrunch, which verified the discovery of the UK-based security firm. “The bucket wasn’t protected with a password, allowing anyone who knew the easy-to-guess web address access to the data.” 

TechCrunch didn’t disclose the name of the company in question in order to protect the privacy of those who used the service. 

The applications involved in the exposure dated back to 2017 and contained information like the applicant's name, their date of birth, current home address, email address, and phone number. They also included other personal information, such as previous addresses and names of family members.

TechCrunch said that as many as 9,000 new applications have been added on a daily basis since it started looking into the exposure. 

Company hasn’t responded

Attempts to notify the company of the privacy issue have allegedly been met with “only automated emails” and no action so far. Amazon said it would also notify the company of the privacy issue, but officials added that they can’t take direct action to resolve the matter.

The safety of consumers’ online data has been called into question numerous times over the past several years. Earlier this year, investigators found that the medical data of around 5 million U.S. consumers could be easily accessed online. 

Last month, a privacy suit was filed against Amazon’s cloud division alleging the company “obtains and stores biometric data on behalf of its customers.” 

A report published in June by Comparitech estimated that there have been roughly 9,700 reported breaches involving over 10.7 billion records since 2008. 

An online company that enables U.S. residents to obtain a copy of their birth certificate has exposed nearly 800,000 applications, according to Fidus Infor...
Read lessRead more

FTC warns consumers to beware of smart toys

The agency says these products can pose a number of risks to children’s privacy

The Federal Trade Commission (FTC) on Monday released a list of questions to ask before buying an internet-connected toy in order to protect the privacy of the child who will be receiving it.

Toys with microphones, Wi-Fi connectivity, GPS tracking, and other technology can reveal significant amounts of personal information. Before buying one of these devices for a child, the FTC recommends assessing which features could pose privacy risks. 

The agency recommends asking the following questions before buying a smart toy: 

  • Does the toy come with a camera or microphone? What will it be recording, and will you know when the camera or microphone is on?

  • Does the toy let your child send emails or connect to social media accounts?

  • Can parents control the toy and be involved in its setup and management? What controls and options does it have? What are the default settings?

Look into information collection practices 

To protect against the possibility of identity theft or worse, consumers should be fully aware of what information the smart toy collects and how it will be used. 

Additionally, the FTC recommends asking where the data that the toy collects is stored and shared, and who has access to that information. The toy company should also give parents a way to see and delete the data, the agency said. 

In order to comply with the Children’s Online Privacy Protection Act (COPPA), toy companies must give parents the tools to control the information that is shared about their child and withdraw consent at any time. 

“If the toy collects personal information from your child who is under 13 years old, the toy company has to tell you about its privacy practices, ask for your consent, protect and secure collected data, and give you the right to have your child’s personal information deleted,” the FTC said. 

The agency has additional tips for protecting kids’ privacy online on its website

The Federal Trade Commission (FTC) on Monday released a list of questions to ask before buying an internet-connected toy in order to protect the privacy of...
Read lessRead more

Apple says an iPhone feature needs your location, regardless of whether you share it or not

No need for consumers to get up in arms says one tech security chief -- it’s simply an unforced error

There’s a new wrinkle in the personal privacy world. Security researcher Brian Krebs stumbled upon the fact that Apple’s iPhone 11 seeks out exactly where the user is located even when the user has turned off that feature from any and all apps and system services within the phone.

Krebs took a hard look at Apple’s privacy policy and didn’t like what he saw, either as a tech watcher or a consumer. Krebs points out that the privacy policy on the iPhone’s Location Services screen clearly says, “If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.”

But it was the next part of the privacy policy that really got Krebs up in arms: “You can also disable location-based system services by tapping on System Services and turning off each location-based system service,” the policy states.

Not true, Krebs says. “Apparently there are some system services on this model (and possibly other iPhone 11 models) which request location data and cannot be disabled by users without completely turning off location services, as the arrow icon still appears periodically even after individually disabling all system services that use location.”

Apple responds

Apple’s comeback? It’s by design, the company says. 

“Ultra wideband technology is an industry standard technology and is subject to international regulatory requirements that require it to be turned off in certain locations,” said one Apple spokesperson in a statement to TechCrunch. “iOS uses Location Services to help determine if an iPhone is in these prohibited locations in order to disable ultra wideband and comply with regulations.”

“The management of ultra wideband compliance and its use of location data is done entirely on the device and Apple is not collecting user location data.”

In ConsumerAffairs’ research, Apple’s use of ultra-wideband doesn’t seem to be anything different than how other platforms and systems use the technology. In fact, the use of ultra-wideband is nothing new. It’s predominantly used for short-range indoor applications like wireless printing of photos from a phone or transferring files between mobile phones. 

It’s also all around us. It’s been used to monitor vital signs of the human body; the military has employed it to detect and identify buried IEDs and hidden adversaries at a safe distance; and the New York City subway system is testing it for use with signaling. However, that hasn’t stopped those in the industry from giving their two cents’ worth.

“I think this is a silly unforced error on Apple’s part,” tweeted Will Strafach, CEO of Guardian and the developer of Guardian Firewall, which claims to “blocks digital trackers from secretly collecting your information.”

Tempest in a teapot?

Is this a privacy issue? It could be if you want to take exception with Apple’s privacy policy and how this particular situation plays out vis-a-vis those guidelines. But Strafach may be correct when he called it a “silly unforced error.” TechCrunch also pointed to Apple’s sloth speed in responding to Krebs’ discovery, which probably made matters worse than they needed to be.

Whether this was an unforced error or Apple got caught doing something it shouldn’t, we probably will never know. Nonetheless, Apple said it will provide a new dedicated toggle option for the feature in an upcoming iOS update.

There’s a new wrinkle in the personal privacy world. Security researcher Brian Krebs stumbled upon the fact that Apple’s iPhone 11 seeks out exactly where...
Read lessRead more

Billions of text messages found on unsecured database

Security researchers say sensitive data was left unprotected for years

Security researchers recently found an unsecured database housing a massive collection of text messages containing private information. Nearly 1 billion entries belonging to over 100 million U.S. citizens were found in the database, stored in plain text. 

A majority of the messages were sent by businesses to customers, and “hundreds of thousands of entries” included details about users (including full names, phone numbers, addresses, emails, and more), according to cybersecurity experts Noam Rotem and Ran Locar. 

In a blog post, the researchers said "tens of millions" of text messages were left "completely unsecured and unencrypted” for an extended period of time. They believe text messaging firm TrueDialog -- an SMS provider for businesses and higher education providers -- is responsible for the leak. 

Database now offline

TrueDialog operates a service that enables businesses to text marketing materials and alerts to their clients in bulk. Recipients are even able to text back. The firm boasts five billion subscribers worldwide. 

"We contacted the company. We disclosed our findings and offered our expertise in helping them close the data leak and ensure nobody was exposed to risk," the researchers said. "The database has since been closed, but TrueDialog never replied to us." 

Although the database was pulled offline on November 29, Rotem and Locar say the risk potential of the leak may linger for hundreds of millions of users.

“The available information can be sold to both marketers and spammers," the researchers said.

Since the database is now offline, there’s no way to tell who was impacted by the leak. To protect against the possibility of online exposure, security researchers continue to recommend that consumers set up two-factor authentication and frequently change their passwords on Google and Facebook accounts. 

TechCrunch notes that the leak is “another example of why SMS text messages may be convenient but is not a secure way to communicate — particularly for sensitive data, like sending two-factor codes.” 

Security researchers recently found an unsecured database housing a massive collection of text messages containing private information. Nearly 1 billion en...
Read lessRead more

FBI warns consumers about risks of unsecured smart TVs

The agency suggests taking several precautions to protect against possible exploits

In a timely consumer advisory published ahead of Cyber Monday, the FBI's Portland field office has warned of the dangers of failing to adequately secure smart TVs. 

The agency said consumers shopping for a smart TV this holiday season should be aware that hackers could potentially use these products to infiltrate consumers’ home networks. They could also use them to take control of the camera and microphone. 

"Beyond the risk that your TV manufacturer and app developers may be listening and watching you, that television can also be a gateway for hackers to come into your home,” the FBI wrote on its website. “A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router.” 

The FBI said attackers could change channels, manipulate the volume, or show children inappropriate videos. 

“In a worst-case scenario, they can turn on your bedroom TV’s camera and microphone and silently cyberstalk you,” the agency said. 

Securing smart TVs

To secure vulnerabilities and protect against exploits, the FBI suggested taking the following actions: 

  • Know the device’s capabilities. Know exactly what features your TV has and how to control those features. A basic internet search with your model number and the words “microphone,” “camera,” and “privacy” can help you find this information.

  • Don’t rely on default security settings. The FBI recommends changing passwords if you can. Consumer should also know how to turn off the microphones, cameras, and the device’s ability to collect personal information if possible. In the event that these features can’t be disabled, the agency advises consumers to “consider whether you are willing to take the risk of buying that model or using that service.” 

  • Use tape if needed. A piece of black tape can be placed over the camera eye as a “back to basics” security option, the agency noted. 

  • Seek information about patches. Check the manufacturer’s ability to update your device with security patches. 

  • Check the privacy policy. Check the privacy policy for the TV manufacturer and the streaming services you use. Confirm what data they collect, how they store that data, and what they do with it.

In a timely consumer advisory published ahead of Cyber Monday, the FBI's Portland field office has warned of the dangers of failing to adequately secure sm...
Read lessRead more

T-Mobile hit with data breach affecting prepaid customer information

The carrier hasn’t provided an estimate of how many customers were affected

T-Mobile has disclosed that it recently suffered a data breach that allowed a malicious party to access the account information of some of its prepaid customers. The wireless carrier said it “quickly corrected” the security issue after discovering it. 

“Our Cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account,” the company said on its customer support page. “We promptly reported this to authorities.” 

The carrier noted that no financial data or social security numbers were accessed in the breach, and no passwords were compromised. However, information associated with users’ prepaid wireless accounts -- including names and billing addresses -- was accessed. Other personal data that was revealed included phone numbers, account numbers, rate plans, and add-on features (such as an international calling add-ons). 

Affected customers notified

The company said it’s started the process of notifying all affected customers. Users who received a notification are advised to update their PIN on their T-Mobile account.  

“We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access,” T-Mobile said. “We truly regret that this incident occurred and apologize for any inconvenience this has caused you.”

T-Mobile said some customers whose information was compromised may not have received a notification because their contact information is out of date. Customers who are worried that they may fall under this category are advised to contact T-Mobile’s customer support department for further assistance. 

“If you are a T-Mobile customer, you can reach us by dialing 611 from your T-Mobile phone or by calling 1-800-T-MOBILE from any phone,” the company said. 

T-Mobile has disclosed that it recently suffered a data breach that allowed a malicious party to access the account information of some of its prepaid cust...
Read lessRead more

Facebook fixes iOS bug that activated the cameras of app users

The company also announced the removal of over 3 billion fake accounts

A Facebook bug that allowed the Facebook app to activate the cameras of those running iOS 13 has now been fixed. 

Web designer Joshua Maddux spotted the bug and posted about it on Twitter earlier this week, saying it “lets you see the camera open behind your feed.” A Facebook official responded thanking Maddux for noticing the glitch and promising to get to work on a fix. 

“This sounds like a bug, we are looking into it,” Guy Rosen, Facebook’s vice president of integrity, said Tuesday. 

Facebook said Wednesday that it was submitting fixes for the bug to Apple. According to The Verge, the Facebook iOS app has now been updated and is available in the App Store. 

Removing problematic content

Facebook has been attempting to mitigate a number of issues directly affecting users as of late. The company recently paid a record $5 billion fine to the FTC over its handling of user data in the 2018 Cambridge Analytica scandal. 

Earlier this month, Facebook announced that it recently became aware that a subset of app developers had retained data from user groups on the platform. The disclosure came just a few weeks after Facebook revealed that it suspended “tens of thousands” of apps, citing various privacy concerns. 

On Wednesday, the company announced that it removed 3.2 billion fraudulent accounts from April to September. Facebook said in its latest transparency report that it has improved its ability to proactively “detect and block attempts to create fake, abusive accounts.” 

"We can estimate that every day, we prevent millions of attempts to create fake accounts using these detection systems,” the company said. 

Facebook said it removed more than 11.6 million instances of content depicting child nudity and sexual exploitation of children on Facebook and 754,000 pieces on Instagram during the third quarter.

"While we are pleased with this progress, these technologies are not perfect and we know that mistakes can still happen," the company wrote in a blog post. "That's why we continue to invest in systems that enable us to improve our accuracy in removing content that violates our policies while safeguarding content that discusses or condemns hate speech.” 

A Facebook bug that allowed the Facebook app to activate the cameras of those running iOS 13 has now been fixed. Web designer Joshua Maddux spotted the...
Read lessRead more

Facebook bug allows app to open users’ cameras while in use

The bug appears to affect devices running iOS 13

A Facebook bug is allowing the Facebook app to activate iPhone users’ cameras while it is active. 

The bug was discovered by web designer Joshua Maddux, who posted on Twitter that it “lets you see the camera open behind your feed.” Other users of Facebook for iOS have also reported the issue, with the earliest incident occurring on November 2. 

Users have said they are able to see the camera feed on the left side of their screen when they open a photo in the app and scroll down. The Next Web notes that the camera feed is only live if the user has given the app permission to access their camera.

Maddux said he spotted the same glitch on a handful of other iPhone devices with the iOS 13.2.2 operating system, but the bug didn’t appear to surface on iOS 12 and has not been reported among Android users.

“I will note that iPhones running iOS 12 don’t show the camera (not to say that it’s not being used),” he said.

Privacy issues

The camera activation bug comes as Facebook attempts to regain users’ trust following a string of privacy incidents. The company recently paid a record $5 billion fine to the FTC over its handling of user data in the Cambridge Analytica scandal.

Earlier this month, Facebook disclosed that as many as 100 app developers retained data from user groups on the platform. That disclosure came just a few weeks after the company informed the public that it had suspended “tens of thousands” of apps, citing various privacy concerns. 

Guy Rosen, Facebook’s vice president of integrity, posted on Twitter that the company is now aware of the bug affecting the app’s use of some users’ cameras.  

“Thanks for flagging this,” Rosen tweeted on Tuesday. “This sounds like a bug, we are looking into it.”

A Facebook bug is allowing the Facebook app to activate iPhone users’ cameras while it is active. The bug was discovered by web designer Joshua Maddux,...
Read lessRead more

Hackers are exploiting the BlueKeep security flaw on older Windows PCs

Security researchers urge those with unpatched Windows machines to apply a necessary update immediately

A critical Windows vulnerability known as Bluekeep has been exploited by the hacking community. 

Over the weekend, security researcher Kevin Beaumont found that the vulnerability was being used after creating several Windows machines that were vulnerable to BlueKeep and connected to the internet. Following a few months of inactivity, the machines created by Beaumont — nicknamed “honeypots” — were broken into by a cryptocurrency miner who was exploiting the vulnerability. 

Earlier this year, the Cybersecurity and Infrastructure Security Agency (CISA) warned that the BlueKeep vulnerability could pose security risks similar to the WannaCry attacks of 2017.

Microsoft issued a warning about the vulnerability in May, but not all machines have been updated with a fix. According to recent figures, roughly 700,000 Windows machines that have the Remote Desktop Service feature activated — including Windows 7, Vista, and XP machines, as well as Windows Server 2003 and 2008 systems —  are still vulnerable. 

The flaw is considered wormable “because malware exploiting this vulnerability on a system could propagate to other vulnerable systems,” CISA explained. “A BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.”

Serious threat 

After Beaumont’s analysis was published, the exploitations appeared to stop. However, security researchers say the threat is still present.  

"So far the content being delivered with BlueKeep appear to be frankly a bit lame—coin miners aren't exactly a big threat," Beaumont wrote in a blog post. “However it is clear people now understand how to execute attacks on random targets, and they are starting to do it. This activity doesn’t cause me to worry, but it does cause my spider sense to say ‘this will get worse, later’.” 

The finding serves as another warning to those who haven’t patched the flaw to do so as soon as possible. An attacker who exploited the BlueKeep flaw would be able to take control of the machine to view, alter, or delete data or to install new programs. 

The National Security Agency (NSA) warned in June that a vulnerability of this nature could have a big impact. 

"We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw," the organization said.

Microsoft's website has links to the patches that can mitigate the flaw. 

A critical Windows vulnerability known as Bluekeep has been exploited by the hacking community. Over the weekend, security researcher Kevin Beaumont fo...
Read lessRead more

Google warns users about two serious security vulnerabilities in Chrome

Users are urged to update their browser immediately

On Thursday, Google issued a Chrome security alert and urged users to update their browsers as soon as possible in light of the discovery of two high-severity security vulnerabilities. 

In a blog post, Google engineers said an exploit for one of the two vulnerabilities has already been spotted in the wild.

"Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild," the company said in announcing the release of Chrome version 78.0.3904.87.

Both vulnerabilities -- CVE-2019-13720 and CVE-2019-13721 -- were uncovered by Kaspersky researchers Anton Ivanov and Alexey Kulaev. They’re classified as “use-after-free” vulnerabilities, meaning they allow for “corruption or modification of data in the memory. This allows an unprivileged user to escalate privileges on an affected system or software,” according to the National Cyber Security website.  

Manually check for updates

Google added that public access to bug details and links “may be kept restricted until a majority of users are updated with a fix.” 

Although Chrome users are notified automatically when the latest update becomes available, Google is recommending that users manually check for the update by going to “Help” and tapping “About Google Chrome” from the menu.

The update rolled out by Google “addresses vulnerabilities that an attacker could exploit to take control of an affected system," the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) said in a statement.

On Thursday, Google issued a Chrome security alert and urged users to update their browsers as soon as possible in light of the discovery of two high-sever...
Read lessRead more

Smart light bulbs could be vulnerable to data breaches, new study finds

Researchers want to warn consumers about potential security glitches

With cybersecurity at the forefront of many consumers’ minds, a new study conducted by researchers from the University of Texas at San Antonio discovered a new smart device that could be vulnerable to attacks: light bulbs. 

“Your smart bulb could come equipped with infrared capabilities, and most users don’t know that the invisible wave spectrum can be controlled,” said researcher Murtuza Jadliwala. “Any data can be stolen: texts or images. Anything that is stored in a computer.” 

Lined up to be one of this season’s most popular holiday gifts, the researchers want to urge consumers to be aware of potential threats and understand how these smart devices work so they can take the necessary steps to protect their data. 

Just like a computer

The researchers explained that smart light bulbs function in one of two main ways: by bypassing WiFi and connecting to Bluetooth, which many refer to as a smart home hub, or by connecting to a personal WiFi connection, which consumers typically use to connect their other personal devices that store their data, like cell phones, tablets, or laptops. 

Ultimately, the smart home hub option is better for avoiding data hacks, as connecting the smart light bulb to a personal WiFi network can enable hackers to use that network to steal data from other devices.

“Think of the bulb as another computer,” said Jadliwala. “These bulbs are now poised to become a much more attractive target for exploitation even though they have very simple chips.” 

As this technology continues to get more complex, the researchers hope that companies do their part to ensure these devices are secure for consumers and safe to use in conjunction with other smart devices. 

Understanding the risk of smart devices

Amazon came under fire earlier this year following an investigation that revealed its employees were listening in on consumers’ requests to their Alexa devices. Revelations like these make it more important than ever for consumers to stay up-to-date on how these devices can create security problems. 

As smart devices become more popular in the home, researchers found that they could be a source of security weakness for many consumers. Security experts are urging consumers to take precautions when it comes to smart home devices like refrigerators or thermostats. 

They encourage consumers to avoid smart devices that don’t require authentication of any kind, as having a unique username and password are key to ensuring that data remains secure. 

With cybersecurity at the forefront of many consumers’ minds, a new study conducted by researchers from the University of Texas at San Antonio discovered a...
Read lessRead more

Companies need to ensure their vendors are committed to cybersecurity

Researchers suggest this is the best way to ward off hackers

A new study conducted by researchers from American University explored the work that is necessary for companies to ensure that their data -- and their customers’ data -- remains secure. 

The study revealed that regardless of how firm a company is on security, they could be more susceptible to a data breach if one of their affiliated vendors is more laid back on the issue. 

“Companies that want to be the most effective at preventing cyber-attacks need to look at every entity that handles their data,” said researcher Ayman Omar. “If you have one weak link, the entire operation is compromised. If I’m running a company that has strong cybersecurity measures in place, but my third-party vendors don’t, the company is still at risk.” 

The researchers explained that a company’s vendors will often reap the rewards of the company’s cybersecurity efforts, as those protections will extend to cover beyond just the company in question. However, this study also found that those efforts need to be reciprocated on all ends, as all of that shared data can become more vulnerable to hackers when there aren’t comprehensive cybersecurity practices put into place.

Moving forward, the researchers suggest that companies put competition aside in their efforts to protect their data and their customers’ data, and work alongside potentially rival companies to ensure that data remains secure. 

“It’s in the best interest of companies that normally compete with each other to combine investments to make cybersecurity supply chains better,” said Omar. 

Being mindful of public networks

With many companies now offering free WiFi to their customers, a recent study explored how public networks can be susceptible to cybersecurity attacks. 

The researchers found that routers used in many public spaces or in consumers’ homes contain two networks -- one that contains more private data and another that is for guest use. However, hackers are able to work in shared channels that gives them access to both the public and the private network, which can help them steal data from either one. 

To avoid such issues, the researchers suggested having entirely separate devices designated for personal use versus public use. They explained that doing this can prevent hackers from stealing or sharing information. 

“All of the routers we surveyed regardless of brand or price point were vulnerable to at least some cross-network communication once we used specially crafted network packets,” said researcher Adar Ovadya. “A hardware-based solution seems to be the safest approach to guaranteeing isolation between secure and non-secure network devices.”

A new study conducted by researchers from American University explored the work that is necessary for companies to ensure that their data -- and their cust...
Read lessRead more

Yahoo data breach victims can receive over $350 in cash compensation

Users who file a claim can receive a cash payout or free credit monitoring

Consumers affected by the Yahoo data breaches that occurred between 2013 and 2016 may be able to claim a cash payout from the company, pending approval of a settlement by California courts. 

In 2013, Yahoo suffered a data breach that is said to have exposed the personal information of all three billion of its users. A second breach occurred the following year, affecting around 500 million accounts. Information compromised in the breaches included names, birthdays, email addresses, encrypted passwords, and more. 

It wasn’t until two years later that Yahoo finally disclosed the two massive breaches. Now, Yahoo users can file a claim to receive a portion of the $117.5 million class-action settlement related to the breaches. 

To be eligible to file a claim, users must have: 

  • Had a Yahoo account between January 1, 2012 and December 31, 2016

  • Received a notice about the data breaches

  • Be a resident of the U.S. or Israel

Payout or credit monitoring

Users impacted by the breaches can get up to $358 or two years of free credit monitoring services by AllClear ID. In order to claim a cash payment, users must be able to verify that they already have credit monitoring or protection services and will keep them for at least a year.  

As was the case with the Equifax data breach settlement, the amount of cash impacted users can expect to receive will likely be less than $358 if a large number of users submit claims. 

“Payment for such a claim may be less than $100.00 or more (up to $358.80) depending on how many Settlement Class Members participate in the Settlement,” the settlement website states.

However, some consumers could receive up to $25,000 by providing proof of out-of-pocket losses or loss of time during the data breaches.

“As to documented lost time, you can receive payment for up to fifteen hours of time at an hourly rate of $25.00 per hour or unpaid time off work at your actual hourly rate, whichever is greater,” says the settlement website. “If your lost time is not documented, you can receive payment for up to five hours at that same rate.” 

Filing a claim

Eligible Yahoo users can file a claim at this website. Alternatively, users can download and print the claim form and mail it in with any supporting documentation. 

The deadline to file a claim on the website, or send one in by mail, is July 20, 2020. Payouts won’t be distributed until after a Final Fairness Hearing has taken place in April 2020. 

Consumers affected by the Yahoo data breaches that occurred between 2013 and 2016 may be able to claim a cash payout from the company, pending approval of...
Read lessRead more

Twitter allowed user data to be used for ad-targeting purposes

The site said an ‘error’ led to a security breach affecting some users’ two-factor authentication data

Twitter disclosed on Tuesday that it inadvertently shared some user phone numbers and email addresses with advertisers. The information had been submitted by users in order to set up two-factor authentication on their accounts. 

“We recently discovered that when you provided an email address or phone number for safety or security purposes, this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,” Twitter said in a statement. 

The platform said it couldn’t “say with certainty” how many users were impacted by the error, but it wanted to “make everyone aware” for the sake of transparency. Company officials said the information was used for ad-targeting purposes as a result of a mistake in its tailored audiences program. 

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” the company said. 

The micro-blogging website said the issue was addressed and fixed as of September 17. Twitter said it is “no longer using phone numbers or email addresses collected for safety or security purposes for advertising.” 

Twitter disclosed on Tuesday that it inadvertently shared some user phone numbers and email addresses with advertisers. The information had been submitted...
Read lessRead more

Hackers target secure web traffic on Chrome and Firefox web browsers

Security experts say the hackers are likely linked to the Russian government

Researchers at cybersecurity company Kaspersky Lab published a report this week detailing a Russian group’s attempts at taking a fingerprint of TLS-encrypted web traffic by modifying Chrome and Firefox web browsers.

The group, called Turla, is “believed to operate under the protection of the Russian government,” ZDNet notes. 

Kaspersky researchers found that the group could infect systems with a remote access trojan and, from there, install their own digital certificates to each host. This technique enables them to intercept TLS traffic from the host. 

Secondary method of monitoring targets

Kaspersky didn’t offer an explanation of why the hackers would do this. ZDNet noted that one possible motive might be that the group wanted to use the TLS fingerprint as a secondary traffic surveillance mechanism in case victims found and removed the trojan but didn't take the time to reinstall their browsers. Kaspersky’s researchers said they identified targets in Russia and Belarus.

“We registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts,” the company said. 

ZDNet added that this isn’t the first time Turla has modified a browser’s internal components.

“A January 2018 report from fellow cyber-security firm ESET revealed that Turla had compromised at least four ISPs before, in Eastern Europe and the former Soviet space, also with the purpose of tainting downloads and adding malware to legitimate files,” ZDNet reported.

“The group has previously installed a backdoored Firefox add-on in victims' browsers back in 2015, which it used to keep an eye on the user's web traffic,” the website added. “Patching Chrome and Firefox just to be able to track a victim's HTTPS traffic while they've been kicked off a workstations fits with their previous pattern of highly clever hacks and techniques.” 

Researchers at cybersecurity company Kaspersky Lab published a report this week detailing a Russian group’s attempts at taking a fingerprint of TLS-encrypt...
Read lessRead more

Google discloses zero-day Android vulnerability

Researchers thought the bug had been patched several years ago

Google’s security researchers recently discovered an active “zero-day” Android vulnerability that was believed to have already been patched two years ago. 

Researchers at the company’s Project Zero team said the problem affects phones manufactured by Samsung (including the Galaxy S7, S8, and S9), as well as the Huawei P20, Pixel 1, and Pixel 2. 

The bug was marked as having been patched in December 2017, but apparently the fix didn’t translate to newer versions of the operating system. 

“We have evidence that this bug is being used in the wild,” Google’s security researchers said in a post

Kernel privilege escalation bug

The company publicly disclosed the details of the bug just seven days after uncovering it due to its severity. However, Google said the vulnerability requires the installation of a malicious application to compromise a device, which reduces the risk of an attacker getting control of a mobile device.

“This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation,” wrote Tim Willis, a Project Zero member. “Any other vectors, such as via web browser, require chaining with an additional exploit.”

The company said it has notified Android partners and made a patch available on the Android Common Kernel.

"Pixel 3 and 3a devices are not vulnerable, while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update," Google’s security researchers added. Other devices affected are the Xioami Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3 and the Moto Z3.

Google’s security researchers recently discovered an active “zero-day” Android vulnerability that was believed to have already been patched two years ago....
Read lessRead more

DoorDash reports data breach that occurred in May

The company says 4.9 million people may have been affected

If you signed up for DoorDash before April 5, your personal information may have been compromised. The food delivery service reports a data breach that may affect as many as 4.9 million consumers.

In a blog post, the company said that in addition to customers, delivery personnel and restaurants may have been affected by the breach.

Company officials say the breach apparently occurred on May 4 of this year, but it was not discovered until nearly four months later. The company pins the blame on a third-party service provider but DoorDash declined to name the company.

“Earlier this month, we became aware of unusual activity involving a third-party service provider,” the company said in its blog post. “We immediately launched an investigation and outside security experts were engaged to assess what occurred.”

The investigation revealed that an “unauthorized third party” accessed some DoorDash user data on May 4, 2019. 

“We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users,” the company said.

What the hackers got

The company believes the hackers gained access to customer profile information that includes names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties.

It does not appear the hackers got away with customers’ credit card data. The company says in some cases the hackers may have gotten the last four digits of credit cards, but not the full number nor the CVV number, which is often required to make an online purchase.

For about 100,000 delivery personnel, the company says hackers may have gained access to their driver’s license numbers.

If your information was compromised expect to receive contact from DoorDash in the near future. The company said it is reaching out to those affected with instructions about what they should do.

While it is not believed passwords were compromised in the breach DoorDash says it may be prudent for those affected by the breach to reset their passwords.

If you signed up for DoorDash before April 5, your personal information may have been compromised. The food delivery service reports a data breach that may...
Read lessRead more

Microsoft releases patch for flaw in Internet Explorer

A zero-day vulnerability has already been actively exploited

Microsoft has deployed an “emergency” security update for Windows 10 users following the discovery of a vulnerability in Internet Explorer. In a security advisory, the tech giant classified the flaw as a remote code vulnerability, meaning malicious code could be injected into a browser remotely by a hacker.

“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” the company said. “An attacker who successfully exploited the vulnerability could take control of an affected system.”

The flaw was discovered and reported to Microsoft by security engineer Clement Lecigne, a member of Google's Threat Analysis Group (TAG). The vulnerability had already been exploited by attackers prior to its discovery.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” Microsoft warned.

Users urged to update immediately

Microsoft said the out-of-band security update it has issued, “addresses the vulnerability by modifying how the scripting engine handles objects in memory.” 

The Cybersecurity and Infrastructure Security Agency (CISA) also issued a security advisory encouraging users to apply the necessary updates to prevent an affected system from being taken over by a remote attacker. 

Windows users are advised to install the updates right away. Microsoft’s security advisory includes links to the manual update packages

Microsoft has deployed an “emergency” security update for Windows 10 users following the discovery of a vulnerability in Internet Explorer. In a security a...
Read lessRead more