Cybersecurity News

Investigators said Monday that the hackers behind the global SolarWinds incident used computer code with links to known Russian spying tools, Reuters reports. 

It recently came to light that cyber criminals hacked SolarWinds to gain access to at least 18,000 government and private networks. It is believed that the cyberattackers’ goal was to collect intelligence. 

Now, researchers at Moscow-based cybersecurity company Kaspersky said the attackers deployed code that closely resembled malware associated with a Russian hacking group known as “Turla.” 

The way in which the SolarWinds hack was carried out had three notable similarities to a hacking tool called “Kazuar,” which is used by Turla, according to Costin Raiu, head of global research and analysis at Kaspersky.

Similarities were noted in how the hackers identified their victims and how they avoided being detected through the use of a specific formula to calculate periods with the viruses lying dormant. Additionally, both pieces of malware attempted to obscure their functions from security analysts.  

“One such finding could be dismissed,” Raiu said. “Two things definitely make me raise an eyebrow. Three is more than a coincidence.”

Connection likely

Raiu said the similarities point to the likelihood of a link between the two hacking tools, but they don’t necessarily imply that Turla played a role in the SolarWinds hack. He said there’s a possibility that the hackers behind the SolarWinds hack were merely inspired by Kazuar, or that they deliberately planted “false flags” in order to throw off investigators. 

Although Moscow has denied involvement in the hack, U.S. intelligence agencies have said that the hackers were “likely Russian in origin.” Security firms in the U.S. and other countries are continuing to investigate the incident in order to determine its full scope, and the Department of Justice has vowed to take serious action. 

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said last week. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

After sitting on the news for almost two weeks, the U.S. Department of Justice (DOJ) has confirmed that its email systems fell prey to the same band of cyberattackers linked to the global SolarWinds incident that has affected government and private sector businesses.

"On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment,” DOJ spokesman Marc Raimondi said in a statement.

Raimondi went on to say that the number of affected email boxes was limited to around 3 percent and that the agency has no indication that any of its classified systems were impacted.

“A major incident”

According to a joint statement issued by the recently organized Cyber Unified Coordination Group -- which includes the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence, and the National Security Agency -- the hackers are “likely Russian in origin” and “responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.”

The group’s investigation is ongoing, and it’s possible they could turn up additional government victims. In the group’s estimation, the hackers’ goal appeared to be collecting intelligence, rather than anything destructive.

Nonetheless, the attack on the DOJ was serious enough that it’s vowing to take serious action.

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

President Trump has signed an executive order banning several Chinese payment apps, including Alipay and WeChat Pay. 

A senior administration official said the order, which was signed late in the day on Tuesday, aims to keep American user data from being shared with the Chinese government. The Trump administration cited the possibility that the apps mentioned in the order could be used as a “mass tool for global oppression.”

"The United States must take aggressive action against those who develop or control Chinese connected software applications to protect our national security," the order said.

In total, eight Chinese apps are banned under the order: Tencent QQ, CamScanner, SHAREit, VMate, WPS Office, QQ Wallet, Alipay, and WeChat Pay. 

National security concerns

The U.S. government has concluded that the apps named in the order automatically capture “sensitive personally identifiable... and private information” from millions of users in the United States.” President Trump is concerned that the apps could be used to track and build dossiers of personal information on federal employees.

“At this time, action must be taken to address the threat posed by these Chinese connected software applications,” Trump wrote. 

The order will take effect after 45 days, which leaves open the possibility that President-elect Joe Biden will revoke it. The incoming presidential administration has yet to say how it plans to handle the order. 

The Trump administration has previously attempted to ban Chinese-based apps like TikTok and WeChat over national security concerns. Both attempts were unsuccessful. 

In 2019, the administration launched a trade war against Beijing and blacklisted Huawei Technologies, ZTE, and Chinese firms over national security concerns. The Federal Communications Commission (FCC) has designated Huawei and ZTE as national security threats, but both companies have denied that they share data with the Chinese government.

T-Mobile’s cybersecurity team is once again being put to the test. On Monday, the phone carrier announced that it experienced its fourth data breach in three years. 

The company did not say what portion of its nearly 100 million user accounts were at risk, but it did confirm that the data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax IDs, passwords, or PINs.

“Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account,” said Matt Staneff, the Chief Marketing Officer of T-Mobile USA.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”

What happened?

In a letter to customers, Staneff said T-Mobile’s cybersecurity team detected -- then shut down -- “malicious, unauthorized access” to “some” information related to T-Mobile accounts. Staneff qualified “some” as customer proprietary network information (CPNI). Collecting CPNI data is a permission given to phone companies by the Federal Communications Commission (FCC) and typically includes call information like the date, duration of the call, the phone number called, and the type of network a consumer subscribes to -- in short, the type of information that appears on a customer's phone bill.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers,” Staneff said.

T-Mobile users weren’t so lucky in March 2020 when a data breach allowed hackers to gain access to T-Mobile employee email accounts. That, in turn, opened up access to customers’ names, addresses, Social Security numbers, financial account information, phone numbers, billing and account information, and rate plans. 

T-Mobile offers to answer any questions

Staneff said the company is ready to answer additional questions if a customer wants further details. Customers can either contact the company online, ask questions at one of the company’s stores, or go through the customer service team at 1-800-937-8997. 

“We are sorry for any inconvenience this may cause you. We take the security of customer information seriously and, while we have a number of safeguards in place to protect customer information from unauthorized access, we will continue to work to further enhance security so we can mitigate this type of activity,” Staneff promised.

In a blog post on Thursday, Microsoft said it identified more than 40 organizations that were targeted by attackers using “sophisticated measures.”

Most victims of the attack (80 percent) were located in the U.S. The other targeted groups were spread across seven other countries: Canada, Mexico, Belgium, Spain, the U.K., Israel, and the United Arab Emirates. Microsoft said it has started working with the groups identified as victims. 

Those affected were running problematic versions of a third-party software platform called SolarWinds Orion. Hackers were able to escalate intrusions with additional, second-stage payloads. Microsoft said it discovered the intrusions using data from its Microsoft Defender antivirus product, which is built into all Windows installations.

"It's a certainty that the number and location of victims will keep growing," said Microsoft President Brad Smith. 

Microsoft targeted

Microsoft itself was among those targeted by hackers, but the company denied claims that its production systems were compromised or that the attack affected its business customers and end-users. 

"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed," the statement said.

Microsoft said the attack “represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them.” 

The company said the attack is being “actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft." Smith said it’s become clear that stronger international rules are needed to help prevent future attacks of this magnitude. 

“The defense of democracy requires that governments and technology companies work together in new and important ways – to share information, strengthen defenses and respond to attacks,” he wrote. “As we put 2020 behind us, the new year provides a new opportunity to move forward on all these fronts.” 

More than three million Google Chrome and Microsoft Edge users are believed to have installed extensions that contain malicious code, according to security firm Avast. 

Avast researchers said users who installed one of 28 third-party extensions containing hidden malicious JavaScript could be at risk of data theft and phishing attacks. 

The extensions in question are primarily designed to help users download multimedia content from social networks including Facebook, Instagram, Vimeo, or Spotify. But Avast said users could end up being redirected to a site where the attacker gets paid for user visits. In other cases, users could end up on phishing sites. 

“Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit,” the security firm explained.

Names of extensions

Avast said it found evidence that some of the malicious extensions had been active since at least December 2018. The researchers discovered the code hidden in the apps last month and reported their findings to Google and Microsoft. 

Both companies have said they are investigating the extensions. In the meantime, Avast has recommended that users disable or uninstall the extensions. 

Here is the list of Chrome extensions that contain malicious code, according to Avast: 

• Direct Message for Instagram

• DM for Instagram

• Invisible mode for Instagram Direct Message

• Downloader for Instagram

• App Phone for Instagram

• Stories for Instagram

• Universal Video Downloader

• Video Downloader for FaceBook™

• Vimeo™ Video Downloader

• Zoomer for Instagram and FaceBook

• VK UnBlock. Works fast.

• Odnoklassniki UnBlock. Works quickly.

• Upload photo to Instagram™

• Spotify Music Downloader

• The New York Times News

Avast said the following Edge extensions contain malicious code: 

• Direct Message for Instagram™

• Instagram Download Video & Image

• App Phone for Instagram

• Universal Video Downloader

• Video Downloader for FaceBook™

• Vimeo™ Video Downloader

• Volume Controller

• Stories for Instagram

• Upload photo to Instagram™

• Pretty Kitty, The Cat Pet

• Video Downloader for YouTube

• SoundCloud Music Downloader

• Instagram App with Direct Message DM

It looks like Facebook has unfriended Apple. On Wednesday, the social media platform took out full-page ads in the New York Times, Washington Post, and Wall Street Journal to denounce Apple’s upcoming iOS privacy changes. Facebook claims that it’s “standing up to Apple for small businesses everywhere.”

The barrel of ink Facebook is throwing Apple’s way is supposedly related to Apple’s iOS 14 privacy changes, which will require app developers like Facebook to “provide information about some of your app’s data collection practices on your product page.” The change will also require Facebook to “ask users for their permission to track them across apps and websites owned by other companies.”

Facebook comes out swinging

Facebook didn’t come right out and say it, but Apple’s disclosure shift will impact Facebook’s ad business, especially its ad network for developers and businesses if end users opt out of being tracked.

In the ad, Facebook maintains that Apple’s changes will be “devastating to small businesses” that rely on its ad network to leverage clicks and sales. The newspaper ads that Facebook took out ask small businesses to check out the platform’s “speak up for small business” site that features a series of business owners speaking out on Apple’s changes. Some of those comments are pretty shaming -- things like “This is going to affect me and my family,” and “We could lose our business.”

While Apple has yet to publicly respond to Facebook’s ads, the company did respond to similar Facebook claims in November, accusing Facebook of a “disregard for user privacy.” Apple is steadfast in its position that the upcoming privacy policies will be enforced when they go into effect in early 2021. The company said it is “committed to ensuring users can choose whether or not they allow an app to track them.”

Facebook’s call for support

Facebook said it hopes the Direct Marketing Association (DMA) will also set boundaries for Apple. 

“Apple controls an entire ecosystem from device to app store and apps, and uses this power to harm developers and consumers, as well as large platforms like Facebook,” a Facebook spokesperson said in a statement to CNBC. “

If Facebook’s game is to play two ends against the middle, maybe it should have first asked the DMA if it had its back. “We respect your privacy – and so do our members,” is the organization’s promise to consumers.” (Our Association of National Advertisers) ensures that consumers have choices about unwanted marketing offers. Our members honor consumers who don’t want to be contacted. You have choices about the type of marketing you receive.”

The Federal Trade Commission (FTC) turned up the heat on the social media big wigs on Monday. In a new mandate, the Commission will now require nine tech firms to disclose exactly how they collect and use data from their users.

Called on the carpet are the usual suspects -- Amazon, Facebook, and Twitter -- along with Google’s YouTube, TikTok’s owner ByteDance, Discord, Facebook’s WhatsApp, Reddit, and Snap. The companies have until January 28, 2021 to respond.

What is the FTC looking for?

Specifically, the FTC is leveraging Section 6(b) of the FTC Act, which gives it the authority to ask about how the companies “compile data concerning the privacy policies, procedures, and practices of [such] providers, including the method and manner in which they collect, use, store, and disclose information about users and their devices.”

Moving past the legalese, the FTC said that what it’s trying to ascertain is really more consumer-oriented. The questions it wants answered are:

• “How social media and video streaming services collect, use, track, estimate, or derive personal and demographic information;

• How they determine which ads and other content are shown to consumers;

• Whether they apply algorithms or data analytics to personal information;

• How they measure, promote, and research user engagement; and

• How their practices affect children and teens.”

The commissioners weigh in

After making their demands, the FTC commissioners said that the agency is seeking more information in the best interest of consumers.

“Never before has there been an industry capable of surveilling and monetizing so much of our personal lives. Social media and video streaming companies now follow users everywhere through apps on their always-present mobile devices,” Commissioners Rohit Chopra, Rebecca Kelly Slaughter, and Christine S. Wilson said in a statement. 

“This constant access allows these firms to monitor where users go, the people with whom they interact, and what they are doing. But to what end? Is this surveillance used to build psychological profiles of users? Predict their behavior? Manipulate experiences to generate ad sales? Promote content to capture attention or shape discourse? Too much about the industry remains dangerously opaque.”

Commissioner Noah Joshua Phillips was the dissenting vote among the commissioners, saying that the move was an “undisciplined foray into a wide variety of topics.” He called his peers out for omitting other companies engaged in business practices similar to the nine companies named. Phillips asked why Apple, Gab, GroupMe, LinkedIn, Parler, Rumble, Tumblr, and WeChat weren’t also named. He answered his own question rather snarkily. 

“The only plausible benefit to drawing the lines the Commission has is targeting a number of high profile companies and, by limiting the number to nine, avoiding the review process required under the Paperwork Reduction Act...which is not triggered if fewer than ten entities are subject to request.”

Russian hackers, believed to be working on behalf of the Kremlin, were apparently behind an attack into computer systems at the departments of the U.S. Treasury and Commerce that may have gone on for months before being detected. To make matters worse, people familiar with the matter feel that this situation just may be the tip of the iceberg.

According to U.S. officials and a report by National Public Radio (NPR), the Russian hackers broke into the email systems at those two government departments, and it was so consequential that it led to a National Security Council meeting at the White House on Saturday, one of the people familiar with the matter told Reuters.

It may not come to anyone’s surprise that Russia denies any involvement. The Russian foreign ministry took to Facebook to say the allegations were nothing more than another “unfounded attempt” by the American media to blame Russia for cyberattacks directed at U.S. agencies.”

Malicious actors

In the Department of Homeland Security’s response to the “known compromise,” it said that the hack involved SolarWinds Orion network monitoring products being exploited by malicious actors.

“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners -- in the public and private sectors -- to assess their exposure to this compromise and to secure their networks against any exploitation,” the DHS’ Cybersecurity and Infrastructure Security Agency said in a statement.

The Commerce Department and the National Security Council both confirmed the breach, but the agencies didn’t give any extra information about the extent of the hack or the measures that have been taken to secure the email accounts.

The private sector is also in danger

In addition to the government breaches, the hackers also wormed their way into the computer system bowels of private companies. 

More than 400 of the U.S. Fortune 500 companies use SolarWinds products, according to KrebsOnSecurity. That list includes all branches of the military, as well as all ten of the Top 10 communications companies, all five of the Top 5 accounting firms, and hundreds of colleges.

Security firm FireEye, which also happened to be hit by the hack, said cyber criminals inserted malware into SolarWinds updates that “(went) to significant lengths to observe and blend into normal network activity.” It also concluded that the breach is a “global campaign” and had confirmed intrusions in North America, Europe, Asia, and the Middle East. 

In a blog post late Sunday, Microsoft echoed FireEye’s assessment, saying that it believes the hack represents “nation-state activity at significant scale, aimed at both the government and private sector." The company also had words for its own users.

“We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations. As part of our ongoing threat research, we monitor for new indicators that could signal attacker activity,” the company said.

FireEye, one of the nation’s leading cybersecurity firms, has shared details of a hack targeting its “Red Team” tools, which it uses to test customers’ security. The firm said there is concern that the hackers could publicly release the tools they accessed or use them to carry out other attacks. 

In a blog post, FireEye CEO Kevin Mandia said the attack was “different from the tens of thousands of incidents we have responded to throughout the years.” 

“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus,” Mandia wrote. “They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.” 

Russia reportedly a suspect

FireEye said it doesn’t currently have evidence that any customer information was taken. 

Although the company didn’t say in its report who it believes is responsible for the attack, the Wall Street Journal reported that state-sponsored Russian hackers are a likely suspect. A source familiar with the matter told the Journal that Russia is currently being viewed by investigators as “the most likely culprit.” 

“Moscow’s foreign-intelligence service, known as the SVR and one of two Russian groups that hacked the Democratic National Committee ahead of the 2016 presidential election, is believed to be responsible, the person said,” according to the Journal. 

FireEye didn’t specify when the hack took place or when it became aware of it. The hack is currently being investigated by FireEye, as well as the FBI and industry partners like Microsoft.

Since becoming aware of the attack, FireEye said it’s developed hundreds of countermeasures that can detect or block the use of any of its stolen tools. The firm said it has integrated the measures into its own security products and shared them with “colleagues in the security community.” 

FireEye said it will “continue to share and refine any additional mitigations for the Red Team tools as they become available.” 

A Google researcher has demonstrated an Apple security vulnerability that could have allowed hackers to gain full access to a person’s iPhone. A cyberattacker could have exploited the flaw without having the user download malware or click on a suspicious link. To fall victim, a user would have only had to be within Wi-Fi range. 

Ian Beer -- a security researcher with Google’s Project Zero -- explained in a video this week that it was possible for a Raspberry Pi setup with off-the-shelf Wi-Fi adapters to steal photos from an iPhone in a different room in a matter of minutes. The same security vulnerability also allowed Beer to repeatedly reboot 26 iPhones at the same time. 

Apple fixed the vulnerability in May, but Beer said he spent six months looking into the issue.

"Imagine the sense of power an attacker with such a capability must feel," Beer said in a blog post. "As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target."

Full access to a device

Through his extensive research, Beer found a “wormable radio-proximity exploit” that allowed him to gain “complete control over any iPhone in my vicinity.” He said he was able to view phones, read emails, copy private messages, and monitor everything that happens on a device in real-time. 

“The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine,” he wrote. “Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.”

Beer said he hadn’t seen any evidence that the flaw was exploited prior to being fixed, but he said consumers can never be too careful when it comes to the security of their mobile devices. Issues like these are likely to surface again. 

"As things stand now in November 2020, I believe it's still quite possible for a motivated attacker with just one vulnerability to build a sufficiently powerful weird machine to completely, remotely compromise top-of-the-range iPhones," Beer said.

A hacker is reportedly selling access to email accounts belonging to “hundreds” of high level executives across the world. The accounts are going for $100 to $1500 each, depending on the value of each account. The targets include CEOs, vice presidents, and directors. 

The email and password combinations are being sold on a “closed-access underground forum for Russian-speaking hackers named Exploit.in,” according to ZDNet. The seller did not disclose how he obtained the login credentials, but he claimed to have hundreds of additional accounts to sell. 

ZDNet said a cybersecurity source has confirmed the validity of the stolen data. That source has begun the process of notifying all the affected companies. 

Scam potential 

If corporate executive login credentials fall into the wrong hands, both the executives and their workers could be affected. Cybercriminals can use compromised corporate email credentials for a variety of money-making schemes, KELA Product Manager Raveed Laeb explained to ZDNet. 

"Attackers can use them for internal communications as part of a 'CEO scam' - where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme,” Laeb said.

Stolen login credentials can also be “exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion," Laeb added.

To reduce the likelihood of such events unfolding, cybersecurity experts highly recommend using two-step verification or two-factor authentication for online accounts. Attackers won’t be able to do anything with stolen login details in cases where the user has set up 2SV or 2FA. 

Password manager NordPass has released its annual list of the worst passwords, and 2020’s list includes many of the same weak passwords as years prior. 

Consumers are still protecting their data with simple passwords that are infamous for being easy to crack, according to this year’s list. For example, NordPass found that millions of people are still using “password" and “123456” as passwords. The firm said the latter has been breached more than 23 million times. 

Many people may choose variations of the number bar because it’s quick and easy to type, but research has found that these frequently used passwords take less than a second to crack. Combinations of adjacent keys, such as “asdfghjkl” or “qwertyuiop,” have also been found to be highly vulnerable to cracking. 

Worst passwords of 2020

NordPass’s full list contains 200 of the most commonly used passwords, ranked by metrics such as how many times each password has been exposed and how long it would take an unauthorized party to crack it. 

Below are the top 20 worst passwords of the year. 

• 123456

• 123456789

• picture1

• password

• 12345678

• 111111

• 123123

• 12345

• 1234567890

• senha

• 1234567

• qwerty

• abc123

• Million2

• 000000

• 1234

• iloveyou

• aaron431

• password1

• qqww1122

Protecting your data

To keep sensitive data from being exposed, NordPass recommends making sure all passwords are unique and complex. This can be made easier through the use of a password manager or a third-party service like LastPass or Apple’s iCloud Keychain. 

NordPass also suggests enabling two-factor authentication when possible and deleting any old or inactive accounts. 

In all the hoopla regarding new vaccine test success from Moderna and Pfizer, Microsoft has uncovered a series of cyber attacks coming from Russia and North Korea targeted at research companies doing those tests.

In a blog post, Microsoft says the attacks targeted seven major pharmaceutical companies and researchers in Canada, France, India, and South Korea, and the U.S. Microsoft didn’t say which companies were targeted or what type of information may have actually been compromised or stolen, but officials said they had notified the organizations and offered help where the attacks were successful.

“Two global issues will help shape people’s memories of this time in history – COVID-19 and the increased use of the internet by malign actors to disrupt society. It’s disturbing that these challenges have now merged as cyberattacks are being used to disrupt health care organizations fighting the pandemic,” wrote Microsoft’s Tom Burt, Corporate Vice President, Customer Security & Trust.

“We think these attacks are unconscionable and should be condemned by all civilized society. Today, we’re sharing more about the attacks we’ve seen most recently and are urging governments to act.”

The attacks and the protection

There are actually three key players in the attacks: “Strontium,” an actor originating from Russia, and two actors originating from North Korea that Microsoft has dubbed “Zinc” and “Cerium.”

Strontium uses “password spray” and brute force login attempts to steal personal login credentials. The software it uses conducts millions of rapid attempts to crack a third-party’s personal data. Zinc’s game is to use spear-phishing lures for credential theft by sending messages with fabricated job descriptions pretending to be recruiters. And Cerium? The angle it works is spear-phishing with email lures using COVID-19 themes while masquerading as World Health Organization representatives. 

Luckily, Burt says the “majority” of the attacks have been blocked by security protections built into the company’s products. The company is continuing to make its threat notification service, “AccountGuard,” available for free to health care and human rights organizations working on COVID-19. 

The company says that 195 health care-related groups have enrolled in the service, and it now protects 1.7 million email accounts that those organizations serve.

A Microsoft executive is urging users to move away from phone-based multi-factor authentication (MFA) mechanisms and instead embrace newer security technologies, like app-based authenticators and security keys.

In a blog post, Alex Weinert, Director of Identity Security at Microsoft, said app-based two-factor authentication provides greater security.

Weinert said telephone-based multi-factor authentication (MFA) solutions -- like one-time codes sent via SMS and voice calls -- are “based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.” 

“That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages,” he said. “Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.” 

MFA is ‘essential’

In 2019, Weinert penned a blog post in which he said that internal Microsoft statistics showed that users who enabled MFA blocked around 99.9 percent of automated attacks against their Microsoft accounts. 

In a follow up blog post earlier this week, he stressed that MFA itself is essential -- but the way people use it should change. If users have to choose between multiple MFA mechanisms, he said they should avoid phone-based MFA which can be intercepted by attackers. 

Weinert said a good place to start is by using Microsoft’s Authenticator MFA app. For even greater security, hardware security keys can be used. 

The Federal Trade Commission (FTC) announced a settlement with video conferencing platform Zoom on Monday that will require the company to implement a sturdier information security program. The FTC alleged that Zoom engaged in a series of “deceptive and unfair practices” that essentially undermined the security of its users.

The FTC’s complaint dates back to 2016 when the agency alleged that Zoom deceived users by falsely promising that it offered “end-to-end, 256-bit encryption” to secure users’ communications. Regulators said the falsehood created the possibility that other people (including Zoom) could read a user’s content. 

In the FTC’s eyes, Zoom also erroneously told users who wanted to store recorded meetings on the company’s cloud storage that those meetings were encrypted immediately after their meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.

Enter COVID-19

The matter was complicated further during the COVID-19 pandemic. Zoom’s reach skyrocketed from 10 million in December 2019 to 300 million in April 2020, putting even more users’ privacy at risk. 

Earlier this summer, the company attempted to soften the FTC’s angst by improving its security for all users versus only its paying subscribers, but those actions seemingly weren’t enough to appease regulators.

“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

What changes Zoom users will see

The FTC’s laundry list of changes that Zoom users are supposed to see thanks to the settlement include:

• The annual assessment and documentation of any potential internal and external security risks and develop ways to safeguard against such risks;

• Implementation of a vulnerability management program; and

• Deployment of safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and taking steps to prevent the use of known compromised user credentials.

The FTC didn’t stop there, though. On top of those three key changes, Zoom agreed to review any software updates for potential security flaws and must ensure that software updates will not hamper third-party security features. The company has also agreed not misrepresent to the public its collection and use of personal information, and it will have an assessment of security program made by an independent third party every other year.

The hotel reservation firm Prestige Software has exposed the data of millions of guests worldwide, Website Planet reports. 

Prestige Software -- a platform that enables hotels to automate their availability on booking websites like Expedia and Booking.com -- reportedly stored files dating as far back as 2013 without any protection in place. 

Exposed information included names, credit card details, ID numbers, and reservation details. In some cases, logs contained personally identifiable information for multiple members included in a single booking.

No evidence of third party access 

At this time, it’s not known how long the trove of data was left unsecured or if any third parties accessed it. If the data was found by a cybercriminal, the party could steal identities, carry out phishing scams, or even hijack a reservation.

“Millions of people were potentially exposed in the data breach, from all over the world. We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” said researcher Mark Holden. “So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”

Website Planet said the firm quickly fixed the vulnerability after being alerted to the issue. 

Holden said that due to the sheer number of hotel and travel websites involved in the breach, it’s “impossible to help anyone already exposed if somebody found the data before us.” Clients of Prestige Software include Booking.com, Expedia, Hotels.com, and many others. 

“If you’re a customer of any of the websites listed in this report and are concerned about how this leak might impact you, contact the company directly to determine what steps it’s taking to protect your data,” Website Planet said.

The U.S. government has taken control of $1 billion in bitcoin from the now-defunct online black market Silk Road. The capture represents the largest cryptocurrency seizure to date.

Silk Road ranks as the most infamous online criminal marketplace of its day, but the Department of Justice (DOJ) brought it to its knees in 2015 when it successfully prosecuted its founder, Ross Ulbricht, on seven counts that included unlawfully facilitating the sale of illegal drugs and money laundering. 

By the time Silk Road was brought to justice, it had reportedly generated sales revenue totaling over 9.5 million bitcoins. Commissions from these sales totalled over 600,000 bitcoins, which presumably went right into Ulbricht’s pockets.

Follow the money

This is where the story gets interesting. Before Ulbricht was sent off to prison, he sheltered a billion in bitcoins in a digital wallet and did his best to tuck away the wallet where it would be hard to find.

Someone referred to as “Individual X” supposedly hacked the Silk Road’s payments system some time in either 2012 or 2013. The DOJ says that Ulbricht “threatened Individual X for the return of the cryptocurrency,” but the mysterious hacker refused. 

Enter the DOJ and the Washington DC Cyber Crimes Unit. The group -- which is tasked with virtual currency transactions -- used a third-party bitcoin tracing company to analyze bitcoin transactions carried out by Silk Road and was able to identify 54 previously undetected transactions executed by the platform. An analysis showed that all of those transactions appeared to represent all proceeds of unlawful activity stolen from Silk Road.

The DOJ continued its hunt, and it cornered Individual X on November 3, 2020. The anonymous hacker agreed to hand over the stolen bitcoin and transfer it to the government's hands. The DOJ is mum on whether Individual X was arrested, cut a plea bargain, or even how their cooperation was attained.

“Criminal proceeds should not remain in the hands of the thieves,” IRS-CI Special Agent in Charge Kelly R. Jackson said in a statement. “The Washington DC Cyber Crimes Unit is uniquely specialized in tracing virtual currency transactions and we will continue to hone our skills to combat illegal activity.”

GrowDiaries, an online community of marijuana growers, has suffered a major data breach. 

Security researcher Bob Diachenko reported that GrowDiaries left two of its Kibana apps -- an open-source analytics and visualization platform normally used by a company’s development and IT staff -- exposed online without administrative passwords since September 22, 2020. 

One of the unsecured Kibana apps led to the exposure of sensitive information belonging to 1.4 million users of the site. Information exposed included passwords, email addresses, and IP addresses. The other database exposed user articles posted on the GrowDiaries site, as well as users’ account passwords. 

Diachenko said he discovered the unprotected database on October 10. 

“It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords,” he wrote. “The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.” 

GrowDiaries secured its server less than a week after Diachenko notified site administrators of the issue. Although the site has been secured, GrowDiaries users are still urged to change their passwords just in case their old password was exposed. 

Diachenko said he couldn’t say for sure if any other third-parties accessed the data while it was unsecured, but it “seems likely.” 

The Federal Bureau of Investigation (FBI) has warned that hospital information systems have been hit by coordinated ransomware attacks, which could possibly lead to disruptions in patient care. 

In a joint advisory on Wednesday, the FBI and two other federal agencies said malicious groups have levied several data-scrambling extortion attempts against hospitals and healthcare providers over the past few weeks. 

Officials said they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The attacks could lead to “data theft and disruption of healthcare services,” the agencies said. 

Attack on health care system

The warning coincides with an uptick in the number of COVID-19 infections nationwide. On Monday, an analysis of data from Johns Hopkins University showed 69,967 new COVID-19 cases in the U.S. In just the last week, the seven-day average of new cases has risen 20 percent.

Officials said the targeted ransomware attacks will likely create issues that will be “particularly challenging for organizations within the COVID-19 pandemic.” Institutions are urged to take precautions to protect their networks. Recommended precautions include regularly updating software, backing up data, and monitoring who is accessing their systems. 

In September, cyber attackers launched a highly coordinated ransomware attack on a major U.S. hospital chain. The incident forced some hospital employees to revert to using pen and paper to file patient information. 

In the most recent wave of attacks on hospital networks, malicious groups are using Ryuk ransomware -- software used to encrypt and secure files. The attackers are using the Trickbot network of infected computers to gain access to data, disrupt health care services and demand money from health care facilities in order to decrypt the files. 

Google has pulled three popular apps from the Google Play Store after finding that the apps violated its policies regarding the collection of children’s data. 

The apps that were removed were Princess Salon, Number Coloring, and Cats & Cosplay. Collectively, the apps had amassed more than 20 million downloads prior to being removed. 

The International Digital Accountability Council (IDAC) determined that the apps -- which were all aimed at younger users -- violated "broader Google Play policies around data collection.” The watchdog group notified Google of its findings, and Google swiftly removed the apps. 

“The practices we observed in our research raised serious concerns about data practices within these apps,” IDAC president Quentin Palfrey said in a statement. “We applaud Google for taking steps to enforce on these apps and the third-party data practices within these apps.”

Data-privacy violations

The researchers said the apps were built upon problematic third-party frameworks, which collected Android ID and Android Advertising ID data. The three software development kits (SDKs) used in the apps -- Unity, Appodeal, and Umeng -- made it possible for them to violate Google’s privacy protection regulations. 

Palfrey said the IDAC found that certain versions of the Unity SDK were "collecting both the user’s AAID [unique user ID for advertising] and Android ID simultaneously, which may have allowed Unity to bypass privacy controls and track users over time and across devices."

“Google took corrective action in response, after its own investigation,” the Council said. 

The IDAC didn’t provide an estimate of how much data, if any, was taken as a result of the issues. No violations were discovered in iOS versions of the three apps, according to the group. 

“These apps broke rules barring the uses of developer kits that aren’t approved for ‘child-directed services,’” Google said in a statement. 

Google added that it’s in the process of establishing procedures to detect these kinds of violations before they end up on the Google Play store. The company has said that it’s working with privacy organizations to prevent developers from violating the rules.

Critics argue that Google’s size and power creates a number of problems. The removal of the apps comes less than a week after the U.S. Department of Justice announced that it is suing Google for allegedly abusing its industry dominance to stifle competition in online search and search advertising. 

During the coronavirus (COVID-19) pandemic, more consumers than ever are using online banking. Yet a new survey shows banks in the U.S. and Canada are struggling to implement practices that combat online identity fraud and money laundering, without turning off their customers.

In an age of digital banking, the survey found that just over half of North American banks are still requiring customers to prove their identities by visiting branches or posting documents when opening digital accounts. 

The survey found the same situation in 25 percent of mortgages or home loans and 15 percent of credit cards opened online.

Rethinking their approach

"The pandemic has forced industries to fully embrace digital,” said Liz Lasher, vice president of portfolio marketing for Fraud at FICO, which commissioned the survey. “We now are seeing North American banks that relied on face-to-face interactions to prove customers' identities rethinking how to adapt to the digital-first economy."  

Andrew, of Scottsdale, Ariz., recently had this experience. In a post on ConsumerAffairs, Andrew told us that a fraud alert resulted in his Chase bank account being locked.

“I simply called their security department and was told it was closed out due to bank identity and that I would have to go into a branch and show 2 forms of ID's,” Andrew wrote in his post. 

Banks everywhere have instituted new procedures when fraud is suspected, a necessary measure considering the exponential growth of the crime. But Lasher says all banks should consider making the process as user-friendly as possible because it’s good for business in the long run.

"Today's consumers expect a seamless and secure online experience, and banks need to be equipped to meet those expectations,” she said. “Engaging valuable new customers, then having them abandon applications when identity proofing becomes expensive and difficult."

Slow to embrace digital verification

The study found that only 16 percent of North American banks use the type of fully integrated, real-time digital capture and validation tools that FICO says are required for consumers to securely open a financial account online. 

Some banks have adopted some form of digital verification, but the study found that in most cases, the experience “still raises barriers,” with customers expected to use email or visit an "identity portal" to verify their identities.

The authors suggest that banks create a “frictionless process” that will meet consumers' expectations. Failing to do so could lead to a loss of business.

According to FICO's recent Consumer Digital Banking study, 75 percent of customers said they would open a bank account online, but 23 percent of them would give up and go somewhere else if they faced a difficult or inconvenient identity verification process.

Three-quarters of the banks in the study told FICO they plan to invest in an identity management platform within the next three years.  

More than 100 Dickey’s Barbeque Restaurants across the U.S. were involved in a data breach that spanned more than a year. 

KrebsOnSecurity reported that one of the dark web’s most popular stores for selling stolen credit card information was offering card numbers belonging to customers of Dickey’s Barbeque Restaurants. 

Around three million new credit card records were being offered this week on a dark web carding site called “Jokers Stash.” Security researchers at Gemini Advisory initially discovered the stolen credit card numbers for sale on the dark web marketplace. 

Long-running breach

Gemini said its analysis found that 156 of the eatery’s 469 locations across 30 states were compromised. The largest percentage of stolen numbers were from California and Arizona. The data was accessed between July 2019 and August 2020, the researchers said. 

“Given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations,” researchers said in a blog post.

Report suspicious charges

In a statement, the barbeque franchise said it’s aware of the safety incident and that it’s currently investigating its scope.

“We obtained a report indicating [that a] cost card safety incident might have occurred. We’re taking this incident very significantly and instantly initiated our response protocol and an investigation is underway. We’re presently centered on figuring out the places affected and time frames concerned,” Dickey’s said.

Consumers who have visited Dickey’s Barbeque in the past year are urged to monitor their bank accounts and credit card transactions and report any fraudulent or suspicious charges to their financial institution as soon as possible. 

Barnes & Noble has disclosed that it was recently the victim of a cybersecurity attack, leading to "unauthorized and unlawful access to certain Barnes & Noble corporate systems."

In emails sent to customers, the bookseller said the personal data of some customers may have been accessed during the breach. The potentially exposed information includes customer email addresses, billing and shipping addresses, telephone numbers, and transaction histories. 

"It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems,” Barnes & Noble said in the email. "We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility.”

Barnes & Noble stressed that no financial data -- which it stores "encrypted and tokenized" for security purposes -- was taken or available to the hackers. However, the company warned that leaked email addresses could be used to carry out phishing campaigns. 

Nook platform affected

Nook Digital, the company’s eBook and e-Reader platform, was also affected by the breach. Since Sunday, Nook owners have been unable to download books to their devices. The bookstore giant acknowledged the issue in a tweet, telling customers that it was investigating the cause and that service restoration was taking longer than expected.

“We are continuing to experience a systems failure that is interrupting NOOK content. We are working urgently to get all NOOK services back to full operation. Unfortunately it has taken longer than anticipated, and we sincerely apologize for this inconvenience and frustration,” the company said.

Barnes & Noble assured customers that there was “no compromise of customer payment details” and said it will let users know when service has been restored.

“We expect NOOK to be fully operational shortly and will post an update once systems are restored,” the company wrote in an October 14 tweet. 

A band of Chinese digital wrongdoers have apparently ripped off Facebook users to the tune of $4 million. At Virus Bulletin’s virtual VB2020 conference, Facebook’s malware researchers and security analysts revealed that malware was found abusing Facebook's ad platform to run malicious ad campaigns that spammed users with phony celebrity endorsements and enticed them to make fraudulent purchases. 

Facebook’s security team coined the malware ‘SilentFade’ – ‘Silently running Facebook ADs with Exploits’ -- based on how the attacks were carried out. The malware’s M.O. was to infect users with the malware, then commandeer the users' browsers and make off with browser cookies and passwords.

Once they had that, the bandits searched for user accounts that had payment methods associated with their profile. At that point, SilentFade was off to the races, buying Facebook ads for things like keto pills and weight loss products with the victim's funds. 

All told, Facebook said the group was able to fleece more than $4 million from infected users. To make things whole, Facebook reimbursed the $4 million back to the victims for unauthorized ads purchased using their ads accounts.

Not exclusive to Facebook

Satnam Narang -- a staff research engineer at Tenable who has uncovered similar scams on other social media platforms like TikTok, Instagram, and Twitter -- noted that it’s a well-conceived, “cunning” scam designed to take advantage of Facebook’s billions of users while also providing the bad actors with a layer of protection against getting caught.

"Facebook’s research into SilentFade highlights how users seeking out pirated software are further exposed to additional risk in the form of malicious software that can silently take control of their Facebook accounts,” Narang told ConsumerAffairs. 

“Even if users aren’t directly affected by the SilentFade malware, its effect extends to Facebook users that encounter dubious advertisements for products that are counterfeit or misleading, such as phony diet pills. Users should not download pirated software and should be extremely skeptical of advertisements for discounted products at or phony diet pills."

What took so long?

The interesting twist is that it’s taken two years for Facebook to tell the world about this issue. The SilentFade mob was active between late 2018 and February 2019, when Facebook's security team first caught wind of their presence. Luckily, they were able to stop the gang’s attacks. 

It’s possible that Facebook was embarrassed by the attack’s stealth-like precision. 

“This was the first time we observed malware actively changing notification settings, blocking pages, and exploiting a bug in the blocking subsystem to maintain persistence in a compromised account,” the company’s researchers said, claiming that the scam actually became a “silver lining” that helped it detect compromised accounts going forward. 

In an advisory published Thursday, the Treasury Department warned that individuals or companies that facilitate payments to ransomware extortionists could be fined by the U.S. government. 

Under its new guidelines, the Treasury Department said facilitating these payments could be in violation of anti-money laundering and sanctions regulations in cases where a group or hackers is either sanctioned by the U.S. Treasury or has ties to a cybercrime group that is sanctioned. 

Huge fines of up to $20 million could be incurred by firms or people that facilitate these payments. 

“Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” said the Treasury’s Office of Foreign Assets Control (OFAC).

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

The penalty could be handed down even if the company or individual was unaware that it was engaging or transacting with a sanctioned entity. Before deciding to make any sort of payment, ransomware victims are urged to contact the OFAC.

"OFAC encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus," the agency said. 

Health benefits provider Anthem has reached a settlement with 43 states, resolving the last of a series of lawsuits over a 2014 cyberattack. The company will pay the states $39.5 million.

The company previously agreed to a more than $16 million settlement with the U.S. Justice Department to resolve privacy issues resulting from the hack that exposed personal information on nearly 79 million people.

“Protecting the privacy of its customers should be Anthem’s top priority, otherwise people are left vulnerable and exposed,” said Ohio Attorney General Dave Yost. “The fear of having your identity stolen is alarming and it will take time to rebuild that public trust.”

Through the combined action, Yost said Ohio will receive $1.88 million from the settlement. Other states will receive similar amounts. In addition to the payments, Anthem has also agreed to a series of data security and good governance provisions designed to strengthen its practices going forward.

“Data breaches have far-reaching and long-lasting effects on people’s lives,” said Florida Attorney General Ashley Moody. “When companies fail to protect customers’ personal information, they owe it to the public to disclose that information quickly and to take steps to protect them from further damage.”

Timing of disclosure

The timing of the disclosure was one of the central issues in the states’ case. In February 2015, Anthem disclosed to the public that hackers had gained entry to its systems beginning in February 2014 by using malware installed through a phishing email. 

Once inside, the attackers gained access to Anthem’s data warehouse, where they stole names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans. 

“Protecting consumer data is incredibly important, and when companies or corporations who store large amounts of consumer data fail to safeguard that data, they must be held accountable,” said Attorney General Eric Schmitt.

Improving security

In addition to the financial settlement, Anthem has agreed to strengthen its network security protocols to avoid similar incidents in the future.

Among the steps, Anthem said it will implement a comprehensive information security program that incorporates principles of zero-trust architecture and includes regular security reports made to the Board of Directors and prompt notice of significant security events to the CEO.

It has also agreed to an assessment and audit of its security practices by a third-party for three years.

Universal Health Services (UHS), one of the nation’s largest health care providers, disclosed Monday that its systems were affected by a highly coordinated ransomware attack. Employees at a major U.S. hospital chain said over the weekend that they couldn’t access their computers. 

UHS, which operates about 400 health care facilities across the U.S. and U.K., said an “IT security issue” was responsible for the issue.

“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible,” UHS said in a statement. “In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.” 

The company added that “no patient or employee data appears to have been accessed, copied or misused.” 

Forced to file information manually

A source familiar with the matter told NBC News that the attack “looks and smells like ransomware.” Hackers often wait to deploy ransomware over the weekend to take advantage of reduced staff members, NBC News noted.

The attack forced some UHS hospitals to file patient information manually, using pen and paper. In other instances, ambulances were redirected to other nearby hospitals. 

This isn’t the first time a hospital chain has been the target of a cyberattack. Earlier this month, Duesseldorf University Hospital in Germany was hit by a ransomware attack that resulted in a patient in critical condition having to be transferred to another hospital. The patient ended up dying while en route to the other facility. 

The United States has added China’s largest chipmaker, Semiconductor Manufacturing International Corporation (SMIC), to its blocked entity list. 

U.S. officials concluded that there is an “unacceptable risk” that equipment supplied by SMIC could be used for military purposes, Reuters reported. 

In the interest of protecting national security, the Commerce Department has decided to make it necessary for American companies to apply for individual export licenses in order to do business with the Chinese firm. 

Tightening trade restrictions

A spokesperson for SMIC said the company hadn't heard anything about the restrictions in the form of an official notice. It maintained that it’s not linked to the Chinese military in any way. 

“SMIC reiterates that it manufactures semiconductors and provides services solely for civilian and commercial end-users and end-uses,” the chip maker said. “The Company has no relationship with the Chinese military and does not manufacture for any military end-users or end-uses.”

The U.S. previously blacklisted Chinese telecom giant Huawei in an effort to prevent China from accessing critical chipmaking technology. The nation’s addition of SMIC to the blocked entity list will keep the semiconductor producer from getting key equipment and design tools from the U.S. 

The Commerce Department’s Bureau of Industry and Security didn’t comment specifically on the decision regarding SMIC. However, it said more broadly that it was “constantly monitoring and assessing any potential threats to U.S. national security and foreign policy interests.” 

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has warned of a critical security vulnerability affecting Windows Servers used by federal officials.

CISA said a recently discovered flaw in Windows Netlogon Remote Protocol could allow an attacker with network access to “completely compromise all Active Directory identity services.” 

In its advisory, CISA urged government agencies to install a patch as soon as possible. Failure to patch the vulnerability, known as CVE-2020-1472, could have a “grave impact,” the agency said.

“We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary,” CISA said. “Left unpatched, this vulnerability could allow attackers to compromise network identity services.” 

Requires immediate attention

The flaw affects systems running Windows Server 2008 R2 and later, including recent ones using versions of Windows Server based on Windows 10. Government agencies have until September 21 to install the patch.

“We have directed agencies to implement the patch across their infrastructure by Monday, September 21, and given instructions for which of their many systems to prioritize,” CISA said.

Microsoft said it’s dealing with the vulnerability through a phased two-part rollout. The first phase will involve the installation of a security patch released last month, which will provide the first layer of protection. Another patch to further boost security will be released February 9, 2021.

“These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels,” the company said in a statement. 

The Department of Veterans Affairs (VA) said Monday that around 46,000 veterans had their personal information exposed in a data breach

The VA said that hackers gained unauthorized access to their systems with the aim of stealing payments that were meant to go to health care providers who provided treatment to veterans. Some veterans may have had their social security number leaked.

"The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the­ medical treatment of Veterans,” the Department said in an announcement. “The FSC took the application offline and reported the breach to VA’s Privacy Office.” 

Investigation in progress 

The VA added that hackers were able to breach the system by “using social engineering techniques and exploiting authentication protocols.” The agency said it’s launching a security review. 

"To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology," it added.

The Department said it’s notifying veterans whose information was exposed in the breach. In cases where the affected veteran is deceased, the Department will notify the next-of-kin. 

“The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised," the VA said. "Veterans whose information was involved are advised to follow the instructions in the letter to protect their data. There is no action needed from Veterans if they did not receive an alert by mail, as their personal information was not involved in the incident.” 

Gaming hardware manufacturing company Razer accidentally leaked the data of as many as 100,000 customers, according to security researcher Bob Diachenko. 

Diachenko said in a report that the company misconfigured one of its Elasticsearch servers, leaving information available to the public and indexed by public search engines since August 18. The information leaked included customers’ full names, emails, phone numbers, and shipping addresses. 

It took Razer several weeks to respond to Diachenko, but the company finally responded and said it fixed the misconfiguration on September 9. The company claims that passwords and credit card information weren't involved in the leak.

"We would like to thank you, sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems," the company told Diachenko. "We remain committed to ensure the digital safety and security of all our customers."

Watch for suspicious emails

Improperly accessed information could be used by scammers to carry out phishing attempts, so Diachenko urges gamers to “be on the lookout for phishing attempts sent to their phone or email address.” 

“Malicious emails or messages might encourage victims to click on links to fake login pages or download malware onto their device,” he noted. “Razer customers could be at risk of fraud and targeted phishing attacks perpetrated by criminals who might have accessed the data.” 

Razer said customers with any questions about the leak can send a message to DPO@razer.com.

Smarting from the doozy of a Bitcoin scam that compromised the Twitter accounts of the rich and famous, the social media company closed down the ability to download archives of “Your Twitter Data.” Now that the dust has settled and the apparent chief perpetrator has been arrested, it’s bringing that feature back.

Twitter apologized profusely for the incident, which plundered the accounts of everyone from Warren Buffett to Kanye West. Collectively, victims of the scheme posted similar tweets asking for donations via Bitcoin, but hackers also got a hold of some of those celebrities’ “Your Twitter Data” archives -- an intrusion that not only had the potential to steal private messages, but also personal data. 

How to turn personal data back on

Twitter’s process for retrieving personal data is fairly simple. To access it, just go to Settings > Account > Your Twitter data. Then, type in your password and click to start the transfer. One note of warning for Twitter app users: you might be transferred over to Twitter’s mobile website, but the platform says there’s nothing to worry about if that happens.

Cisco has warned of a high-severity zero-day security vulnerability affecting its networking devices. 

In an advisory published Saturday, the company said the new security flaw affects its Internetwork Operating System (IOS), which ships with its networking gear. Cisco said the flaw was being actively exploited as recently as last week and that it’s still in the process of developing a patch. 

The networking device manufacturer said the flaw, dubbed the CVE-2020-3566 exploitation, could enable an unauthorized party to remotely execute an attack that exhausts process memory and creates instability in other processes running on the device.

"The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets,” Cisco explained. “An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device.” 

Exploitation attempts discovered

Cisco said it discovered exploitation attempts last week but didn’t provide details on what, if anything, the exploit attempts accomplished. The company only said what the flaw could allow an attacker to do. 

“A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes,” the company said. “These processes may include, but are not limited to, interior and exterior routing protocols."

Although Cisco didn’t provide an estimate of when a patch will be released, it did promise that one is on the way. 

While a patch is in the works, the company is urging users to rely on mitigation techniques, such as implementing either a rate limiter or an access control entry to an existing interface access control list. Details of these defensive strategies can be found in the company’s security advisory. 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have warned that the COVID-19 pandemic has led to an increase in voice phishing (or “vishing”) campaigns. 

In a joint cybersecurity advisory, the agencies noted that the pandemic has resulted in a “mass shift to working from home.” This has spurred an uptick in the use of corporate virtual private networks (VPNs) for malicious purposes. In July, cybercriminals launched a vishing campaign with the intent of monetizing the access to improperly accessed employee tools.  

“The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme,” authorities said in the advisory.

“Prior to the pandemic, similar campaigns exclusively targeted telecommunications providers and internet service providers with these attacks, but the focus has recently broadened to more indiscriminate targeting,” the alert continued. 

Highly effective attack 

The advisory was published less than 24 hours after security researcher Brian Krebs of KrebsOnSecurity published research about a group of cybercriminals that has been marketing a vishing campaign that relies on custom phishing sites and social engineering techniques to steal VPN credentials from employees. 

Citing interviews with several sources, Krebs said the bad actors have experienced “a remarkably high success rate.” 

The attackers operate “primarily through paid requests or ‘bounties,’ where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home,” the report said. 

Krebs explained that a typical attempt begins with a series of phone calls to employees working remotely at a targeted organization. 

“The phishers will explain that they’re calling from the employer’s IT department to help troubleshoot issues with the company’s virtual private networking (VPN) technology,” according to Krebs. “The goal is to convince the target either to divulge their credentials over the phone or to input them manually at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.”

Preventing vishing attempts

FBI and CISA officials offered several tips on how people can protect themselves against vishing attempts. 

Companies and organizations are advised to restrict VPN connections to managed devices only, to employ domain monitoring, and to “consider using a formalized authentication process for employee-to-employee communications made over the public telephone network.” 

Others are advised to be suspicious of unsolicited phone calls or email messages from unknown individuals claiming to be from a legitimate organization. End users should also limit the amount of personal information they post on social networking platforms. 

“If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement,” the advisory said. 

If you’re a YouTube, TikTok, or Instagram user, hold on to your personal data, folks, because a gargantuan leak of social media profiles has shown up at the doorstep of these platforms.

According to an incident brought to light by researchers at Comparitech, Hong Kong-based Social Data exposed a database of close to 235 million social media profiles by not setting a password restriction or any other authentication required to access it. The exposed data includes these items from personal profiles:

• Profile and real full name, age, and gender

• Profile photo

• Whether the profile belongs to a business or has advertisements

• Statistics about follower engagement, including: number of followers, engagement rate, follower growth rate, audience gender/age/location, and likes

• Last post timestamp

Based on samples Comparitech collected, it says that about 20 percent of the records also contained either a phone number or email address.

Scraping all it can find

Social Data’s model is anything but consumer-friendly, but at least it’s honest about what it does. In its Terms of Service, it admits that it “scrapes” the data of influencers who “have a presence on the Internet having in excess of a certain amount of followers (decided by the marketer) on various social media platforms.” In other words, let’s say you have 1,523 followers on Instagram and a marketer is looking for people who have at least 1,000, you would be a prime candidate to be scraped.

Web scraping is an old-hat way of automating the copying of data from web pages in bulk. The cost of doing it is relatively inexpensive, and that appeals to marketing firms that can’t afford more aboveboard methods. Social Data swears that it only scrapes what is publicly accessible, but the practice violates Facebook, Instagram, TikTok, and Youtube terms of use. 

Deep Social was banned from Facebook and Instagram in 2018, but apparently it found a way to worm its way back in. Comparitech says that the wormhole likely came about because automated scraping bots can be difficult to distinguish from normal website visitors. Because of that, social media platforms have a hard time preventing them from accessing user profiles until it’s too late.

Social Data defends itself

A Social Data spokesperson told Comparitech security researcher Bob Diachenko in an email that the data was not “hacked” because it was collected in a legal way. 

“Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access,” the spokesperson said.

“I would appreciate it if you could ensure that this is made clear,” the spokesperson continued in their email to Diachenko. “Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database. […] Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private. [sic]”

When you take down a post or photo from a social media site, you might expect it to be gone for good. But one cybersecurity expert found this wasn’t the case for some content posted on Instagram. 

TechCrunch reports that security researcher Saugat Pokharel recently dug into his own data on the social media platform and found that messages and pictures he had deleted over a year before were still present on Instagram’s servers. After notifying the platform, he received $6,000 under Instagram’s bug bounty program for bringing the issue to light. 

“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us,” an Instagram spokesperson told TechCrunch.

Accessing your information

What Pokharel did to find this cybersecurity issue isn’t something that’s beyond any other Instagram user. The Download Your Information tool was introduced back in 2018 to allow the platform to comply with data information policies established under the European Union’s GDPR rule. 

Instagram states that it usually takes around 90 days for deleted content to be removed from its servers, but users can check out the tool for themselves to see exactly what personal information is being stored on the site. 

Consumers can find directions on how to access the tool on Instagram’s help page here.

Researchers have discovered vulnerabilities in Amazon’s digital assistant, Alexa. 

In a report published Thursday, researchers from Check Point said they found that attackers could exploit a flaw in Amazon’s Alexa that could enable them to extract personal information. 

“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” wrote Oded Vanunu, head of products vulnerabilities research at Check Point. “Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”

Requires just one click of a malicious link

The team said they found several web application flaws on Alexa-related subdomains, including Cross-Origin Resource Sharing (CORS) and Cross-Site Scripting (XSS). 

The presence of these vulnerabilities could enable attackers to access personal information like home addresses or banking data, remotely install or remove skills on a user’s Alexa account, or extract the victim’s voice history. 

“Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker,” said Dikla Barda, of Checkpoint Research, who helped discover the vulnerabilities.

The team noted that Amazon doesn’t record users’ banking login credentials, but that information could be extracted via recorded interactions with the smart assistant. 

“Since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history,” said researchers. “We can also get usernames and phone numbers, depending on the skills installed on the user’s Alexa account.”

Prime targets to attackers

Given how many consumers use virtual assistants, Check Point said these devices are “attractive targets to attackers looking to steal private and sensitive information, or to disrupt an individual’s smart home environment.” 

“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” Vanunu said. “But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”

These devices “must be kept secured at all times to keep hackers from infiltrating our smart homes,” the researchers added. 

While one recent study has highlighted the ways hackers can hack into consumers’ cell phones, a new study is looking at yet another way consumers’ privacy could be manipulated through the network they use.

According to researchers from Ruhr-University Bochum, cell phone calls made on 4G LTE mobile networks could be susceptible to hackers. Though these networks should be immune to such attacks, the researchers learned that an issue in their security systems could leave many consumers vulnerable to these types of threats.  

“Voice over LTE has been in use for six years,” said researcher David Rupprecht. “We’re unable to verify whether attackers have exploited the security gap in the past.” 

Not-so-private phone calls

The majority of consumers utilize LTE networks on their mobile phones to do everything from searching the internet to making texts and calls. One of the benefits of this kind of network is that it is designed to keep consumers’ data private. However, the researchers learned that this isn’t always the case. 

When consumers make private calls on their phones, the contents of such conversations are kept safe with a unique encryption code. When all calls have their own codes, consumers’ information can stay private. However, this study revealed that it’s rather easy for hackers to get repeated codes and ultimately steal information from consumers. 

“The attacker has to engage the victim in a conversation,” said Rupprecht. “The longer the attacker talked to the victim, the more content of the previous conversation he or she was able to decrypt.” 

The process needs to occur rather quickly, and the hacker needs to be in the same mobile network as the person they’re trying to copy information from for it to work. But if the conditions are right, the researchers explained that all a hacker has to do is call their target not long after they’ve ended a separate call to gain access to an encryption code to steal information. 

The researchers analyzed random calls made on an LTE network across Germany. They found that 80 percent of the calls they examined were affected by this kind of security breach.

While this is certainly cause for concern, the researchers noted that several mobile networks have already resolved this issue. However, it’s still very important for consumers to be aware of these potential vulnerabilities and to stay vigilant since it’s impossible to determine if the issue has been completely eradicated. 

Video-sharing platform TikTok has faced a great deal of scrutiny from U.S. regulators over its data collection practices and its connection to the Chinese government. While it has defended itself and even offered to share its algorithms with the cybersecurity community, a recent investigation by the Wall Street Journal suggests that it had been tracking Google Android users for months without their knowledge or consent.

The publication reports that TikTok circumvented Google privacy safeguards to collect MAC addresses from Android users for 18 months before stopping the practice last November, when scrutiny from the U.S. government was ramping up. MAC addresses can act as identifiers that are unique to individual devices and could be used to serve users targeted ads. 

The new finding contrasts starkly with the company’s reaction to an executive order issued last week that seeks to ban the app from the U.S. over data privacy concerns. 

“We want the 100 million Americans who love our platform because it is your home for expression, entertainment, and connection to know: TikTok has never, and will never, waver in our commitment to you. We prioritize your safety, security, and the trust of our community -- always,” the company said in a blog post.

Feds clash with TikTok

The Trump administration previously cited concerns that TikTok and other Chinese apps like WeChat are able to gather data and share that information with the Chinese government. 

“TikTok automatically gathers vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search history,” the administration’s executive order stated. “This data threatens to allow the Chinese Communist Party (CCP) access to Americans’ personal and proprietary information -- potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information and blackmail, and conduct corporate espionage.”

While the Journal’s investigation shows no evidence of this kind of agenda, the findings do place a dark cloud over the company’s stance on user privacy and security. In response to the report, a TikTok spokesperson reaffirmed that the company prioritizes user security.

“Under the leadership of our Chief Information Security Officer (CISO) Roland Cloutier, who has decades of experience in law enforcement and the financial services industry, we are committed to protecting the privacy and safety of the TikTok community. We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never given any TikTok user data to the Chinese government nor would we do so if asked,” the spokesperson said.

Regulators respond

In a statement to the Journal, Sen. Josh Hawley (R-Mo.) called on Google to take action to prevent TikTok and other apps from skirting its security to collect consumers’ data.

“Google needs to mind its store, and TikTok shouldn’t be on it. If Google is telling users they won’t be tracked without their consent and knowingly allows apps like TikTok to break its rules by collecting persistent identifiers, potentially in violation of our children’s privacy laws, they’ve got some explaining to do,” he said. 

Talkspace, a mobile app that enables users to message a certified therapist, has been accused of regularly mining data from the transcripts of clients' private therapy sessions.

Former Talkspace employees interviewed by the New York Times claimed the mobile therapy startup used data that was supposed to be kept private for marketing purposes. 

The former employees claim Talkspace had data scientists pull commonly used phrases from anonymized patient transcripts. These key phrases were then allegedly shared with the company’s marketing team, which used the information to target new customers. 

The report also alleges that Talkspace gave employees phones to post fake positive reviews to the App Store and Play Store.

Talkspace denies allegations

In a Medium post published over the weekend, Talkspace co-founders Roni and Oren Frank denied that the startup mined data for marketing purposes.

They said the Times article “misconstrues our work and makes false and uninformed assertions about patient privacy and certain marketing practices.” The founders said the former employee featured in the story “shared information that is from 2016 and is not accurate.” 

"Talkspace is a HIPAA/HITECH and SOC2 approved platform, audited annually by external vendors and has deployed additional technologies to keep its data safe, exceeding all existing regulatory requirements," they wrote.

Back in 2019, Capital One released details of a massive data breach that compromised the personal information of over 100 million consumers in the U.S. and Canada. Now, it’s being forced to pay the piper for its mistakes. 

The Office of the Comptroller of the Currency (OCC) announced this week that Capital One will pay an $80 million civil penalty due to the breach. The Federal Reserve Board is also requiring the company to upgrade its internal risk management systems, as well as its cybersecurity and information security practices, to prevent a similar breach from happening in the future. 

“The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner,” the OCC stated. 

Exposed information

At the time, the scope of the Capital One breach was compared to the infamous Equifax breach of 2017, which compromised the personal data of nearly 150 million Americans. 

The exposed information included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. The hacker responsible for the breach also accessed 140,000 Social Security numbers and 80,000 linked bank account numbers linked to secured credit card customers. Nearly 1 million Canadian Social Insurance numbers were also compromised. 

President Trump has signed an executive order banning TikTok and WeChat from operating in the United States in 45 days if they are not sold by the Chinese companies that own them.

Video-sharing platform TikTok has been at the center of federal scrutiny lately, and President Trump recently signaled his intention to ban the app due to national security concerns. 

On Thursday night, Trump said TikTok -- which is owned by China-based ByteDance -- will be banned in 45 days if it isn’t sold to another company.  It “remains unclear” if Trump has the legal authority to ban the apps from the U.S., the Associated Press noted.

Concerns over data sharing 

The Trump administration has expressed concern that TikTok and other Chinese apps could gather data from users and share it with the Chinese government.  

“TikTok automatically gathers vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search history,” the executive order alleged.

“This data threatens to allow the Chinese Communist Party (CCP) access to Americans’ personal and propietrary information – potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information and blackmail, and conduct corporate espionage.”

Microsoft said over the weekend that it was moving forward with talks to acquire TikTok. On Monday, President Trump said September 15 would be the deadline for TikTok to find a U.S. buyer. 

Taking action against Chinese apps

Trump issued a similar order for China-based WeChat, a platform that allows users to transfer funds to each other. 

"The United States must take aggressive action against the owner of WeChat to protect our national security,” the executive order said Thursday night.

Secretary of State Mike Pompeo said Wednesday that the Trump administration believes TikTok could feed data to the Chinese Communist Party. 

"Here's what I hope that the American people will come to recognize -- these Chinese software companies doing business in the United States, whether it's TikTok or WeChat, there are countless more ... are feeding data directly to the Chinese Communist Party, their national security apparatus -- could be their facial recognition pattern, it could be information about their residence, their phone numbers, their friends, who they're connected to," Pompeo said. 

He said President Trump was “going to fix it” through actions that would be unveiled in the coming days “with respect to a broad array of national security risks that are presented by software connected to the Chinese Communist Party.”

Companies that still rely on Windows 7 to conduct their business may want to quickly reconsider that decision. 

Earlier this week, the Federal Bureau of Investigation (FBI) sent out a warning saying that a lack of support for the operating system has made it vulnerable to hackers. The agency says businesses that continue you to use it are opening themselves up to hacking attempts by malicious third-parties. 

"The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status. Continuing to use Windows 7 within an enterprise may provide cyber criminals access into computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered,” the FBI said in a private industry notification. 

Increased risk of being hacked

Microsoft announced earlier this year that it was ending support for Windows 7. The company said that the decision would mean that it would “no longer provide technical support, software updates, or security updates or fixes.”

That represents a huge risk to businesses who still rely on the operating system. Doing so greatly increases the risk of hackers being able to compromise internal systems and gain access to potentially sensitive information. 

"With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target," the FBI stated. 

The agency is advising companies to switch to an operating system that has active support to avoid additional hacking risks. Although making that switch may be inconvenient, agency officials say the risks of the alternative are too high. 

“Migrating to a new operating system can pose its own unique challenges, such as cost for new hardware and software and updating existing custom software. However, these challenges do not outweigh the loss of intellectual property and threats to an organization,” the agency stated. 

Twitter has disclosed details of a new security vulnerability that may have exposed the direct messages of its Android device users. The company said Wednesday that the vulnerability could have exposed the data of Twitter users running devices with Android OS versions 8 and 9.

“This vulnerability could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like Direct Messages) by working around Android system permissions that protect against this,” Twitter said in a blog post. 

The issue, which is now fixed, was related to an issue that only a small fraction of Twitter users experienced. Twitter said it was linked to an Android OS security issue that only affects systems 8 and 9. Around 96 percent of people using Twitter for Android already have a security patch for this vulnerability, Twitter said. 

The issue didn’t impact users running Twitter for iOS or Twitter.com.

Notices sent to affected users

The social media platform said it doesn’t currently have any evidence that the vulnerability was exploited, but it “can’t be completely sure” that it wasn’t. In an effort to protect the small group of potentially vulnerable users, the company rolled out an update to its Android app to ensure external apps can’t access in-app data. 

Twitter also sent in-app alerts to those affected and required them to update their app to the latest version. Going forward, Twitter has promised to identify “changes to our processes to better guard against issues like this.”

“To keep your Twitter data safe, please update to the latest version of Twitter for Android on all Android devices that you use to access Twitter,” the company said. “Your privacy and trust is important to us and we will continue working to keep your data secure on Twitter.”

Twitter warned investors on Monday that it could be slapped with an FTC fine of up to $250 million for using personal information provided by users for security purposes to instead target advertising. 

In its second-quarter 10-Q financial filing with the Securities and Exchange Commission (SEC), Twitter said it received a draft complaint from the FTC on July 28. The FTC alleged that the company’s actions violated a 2011 agreement requiring it to establish a more robust security program and stop misleading consumers about how it protects their personal information.

“The allegations relate to the Company’s use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019,” Twitter wrote. “The Company estimates that the range of probable loss in this matter is $150.0 million to $250.0 million and has recorded an accrual of $150.0 million.”

Twitter came clean about its use of user data for ad targeting back in October. At the time, the company said it “unintentionally" used some email addresses and phone numbers for advertising. The information was provided by users for account security purposes, such as setting up two-factor authentication. 

Twitter said in the financial filing that the matter “remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.” 

Impact of recent security breach 

The financial filing also gave an update on the potential impact of the site’s recent hacking. Last month, a 17-year-old hacker was allegedly able to gain access to a number of high-profile accounts to promote a cryptocurrency scam. Twitter said in the filing that the breach could hurt its reputation, affect its relationship with advertisers, and hinder its growth.

“This security breach may have harmed the people and accounts affected by it,” the company said in the filing. “It may also impact the market perception of the effectiveness of our security measures, and people may lose trust and confidence in us, decrease the use of our products and services or stop using our products and services in their entirety.”

President Trump is poised to “take action” against Chinese apps, including TikTok, in the coming days, Secretary of State Mike Pompeo said Sunday. The Trump administration is concerned that the apps threaten national security. 

During an interview on Fox News' "Sunday Morning Futures," Pompeo said the administration believes TikTok, a social media video app owned by China-based Bytedance, could potentially feed data to the Chinese Communist Party. 

"Here's what I hope that the American people will come to recognize -- these Chinese software companies doing business in the United States, whether it's TikTok or WeChat, there are countless more ... are feeding data directly to the Chinese Communist Party, their national security apparatus -- could be their facial recognition pattern, it could be information about their residence, their phone numbers, their friends, who they're connected to," Pompeo said. 

"President Trump has said enough and we're going to fix it and so he will take action in the coming days with respect to a broad array of national security risks that are presented by software connected to the Chinese Communist Party,” he added. 

Pompeo said Trump “will make sure that everything we have done drives us as close to zero risk for the American people...That's the mission set that he laid out for all of us when we began to evaluate this now several months back. We're closing in on a solution and I think you'll see the President's announcement shortly.”

TikTok responds

TikTok has maintained that it would never give the Chinese government access to U.S. user data. In response to Trump’s threat on Friday to ban the platform in the United States, TikTok U.S. General Manager Vanessa Pappas posted a video saying the social media app is “not planning on going anywhere.”

“These are the facts: 100 million Americans come to TikTok for entertainment and connection, especially during the pandemic,” a company spokesperson said in a statement. “We've hired nearly 1,000 people to our US team this year alone, and are proud to be hiring another 10,000 employees into great paying jobs across the US.” 

“We are committed to protecting our users' privacy and safety as we continue working to bring joy to families and meaningful careers to those who create on our platform.” 

Cracking down on Chinese companies

President Trump’s planned action against TikTok and other Chinese apps would join other efforts to tighten U.S. security amid concerns over Chinese data sharing. Previously, the administration ordered the U.S. to stop buying equipment from Chinese telecom providers Huawei and ZTE. 

In July, the FCC formally designated the companies as national security threats, citing a “weight of evidence” that the companies could “cooperate with the country’s intelligence services” to harm U.S. communications. 

“With today’s Orders, and based on the overwhelming weight of evidence, the (FCC’s Public Safety and Homeland Security) Bureau has designated Huawei and ZTE as national security risks to America’s communications networks—and to our 5G future,” FCC Chairman Ajit Pai said in a statement at the time. 

As big tech companies get bigger -- and even smaller players dig deeper into consumers’ personal histories -- a survey suggests that the public is becoming increasingly wary.

A new survey from KPMG shows rising concern among consumers about how corporations use, manage, and protect their personal data. The survey found 56 percent of Americans want more control over their personal data and believe that both corporations and the government must work harder to protect consumer data.

Privacy appears to be a hot button topic with consumers, particularly when it comes to technology. Ninety-seven percent of consumers in the survey checked the box when asked if it’s an important issue.

At the same time, the survey suggests that consumers are deeply suspicious of what companies are doing with their data. Well over half --  68 percent -- don't trust companies to ethically sell their personal data.

"With consumers indicating that they see data privacy as a human right, and new legislation expected in the years ahead, it is critical that companies begin to mature privacy programs and policies," said Orson Lucas, principal, KPMG Cyber Security Services. "Consumer demands for the ethical use of data and increased control over their own data must be a core consideration in developing data privacy policies and practices.

Facebook and privacy

Facebook may offer a case in point in how consumers’ personal data gets packaged and sold. The issue burst into the headlines in 2018 when Facebook revealed that a political marketing firm, Cambridge Analytica, had gained unauthorized access to user data to target political ads in 2016.

There have been other revelations of the misuse of consumer data in the years that followed, including a 2019 disclosure which indicated that as many as 100 app developers retained data from user groups on the platform. 

In June, Google was sued for allegedly violating the privacy of millions of users by tracking their use of the internet via browsers set to “private” browsing mode. The lawsuit seeks at least $5 billion; $5,000 per user or three times actual damages, whichever is greater, according to the complaint.

While consumers overwhelmingly believe companies and the government need to do more to protect privacy, the KPMG survey also found consumers have some responsibility in that area too.

More than 40 percent of those in the survey said they often use the same password for multiple accounts, use public Wi-Fi, or save a card to a website or online store, even though they are aware that it poses a privacy risk.

"Part of the challenge for corporations will be getting employees and customers to do their part in protecting their own data," said Steve Stein, principal, KPMG Cyber Security Services.  

TikTok -- the Chinese video-sharing social networking service used by more than a billion people -- says it wants to be transparent. 

Given the recent run of bad luck the company has had with the U.S. government, Amazon, Wells Fargo, and others, there may be a number of doubters who think the idea sounds fishy, but the company seems to think that the only way to reverse its bad luck is by proving that it’s on the up and up.

When TikTok uses the word “transparent,” what it’s saying is that it is taking steps to give outsiders complete access to the algorithms its app uses to categorize and share users’ videos. To add some muscle to its offer, the company says it will let experts “observe our moderation policies in real-time.”

Opening up the algorithm

TikTok CEO Kevin Mayer laid out his vision in a blog post on Wednesday, cheerleading the notion that “fair competition and transparency benefits us all.” Coming clean about TikTok’s issues, Mayer admitted that the app’s Chinese origin is an elephant it can’t seem to get out of the company’s boardroom, 

“With our success comes responsibility and accountability. The entire industry has received scrutiny, and rightly so. Yet, we have received even more scrutiny due to the company's Chinese origins,” Mayer said. He then threw down a challenge to the company’s competitors.

“We will not wait for regulation to come, but instead TikTok has taken the first step by launching a Transparency and Accountability Center for moderation and data practices,” he said. “Experts can observe our moderation policies in real-time, as well as examine the actual code that drives our algorithms. This puts us a step ahead of the industry, and we encourage others to follow suit.”

Angling for a more favorable position

Timing is everything, and that’s not lost of Mayer. The big wigs at Amazon, Apple, Facebook, and Google were in D.C. to face the House of Representatives' Judiciary’s antitrust panel on Wednesday. Even though TikTok officials were spared being grilled in person, it’s pretty likely that the platform’s name will come up before the gavel closes the session.

In the past, Facebook boss Mark Zuckerberg has held up TikTok as an example of why American tech firms need to be free to counter the rise of China. In his prepared remarks, published Tuesday, Zuckerberg brought up the subject of competition between Facebook and its foreign rivals again by claiming that the playing field in China, in particular, is not level.

While Zuckerberg was waiting for his turn in front of legislators on Wednesday, Mayer took the opportunity to take a shot across Zuckerberg’s bow in hopes of making TikTok look like a good guy. 

“Facebook is even launching another copycat product, Reels (tied to Instagram), after their other copycat Lasso failed quickly,” Mayer wrote. “But let's focus our energies on fair and open competition in service of our consumers, rather than maligning attacks by our competitor – namely Facebook – disguised as patriotism and designed to put an end to our very presence in the U.S.”

Garmin has confirmed that a ransomware attack was behind a system outage that customers dealt with for five days starting July 23. 

"Garmin is currently experiencing an outage that affects Garmin services including Garmin Connect," the company said in a statement last week. "As a result of the outage, some features and services across these platforms are unavailable to customers."

On Monday, the company said an external cyberattack “encrypted some of our systems” and disrupted many of its services.

“As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications,” the statement read. “We immediately began to assess the nature of the attack and started remediation.”

Garmin said it has “no evidence” that any customer data, including activity and payment information, was compromised or stolen. The fitness tracker and GPS maker said it’s restoring service, but it will take a few days before everything is completely back to normal. 

Sources told tech websites ZDNet, TechCrunch, and Bleeping Computer that the outage was caused by ransomware called WastedLocker, which is run by a cybercriminal group known as Evil Corp. 

The Justice Department on Tuesday charged two Chinese hackers with attempting to gain access to the United States’ COVID-19 research. 

The Department said the two individuals charged were involved in a global hacking campaign that spanned more than a decade. The hackers recently sought to exploit vulnerabilities in the computer networks of a Massachusetts biotech company carrying out COVID-19 vaccine research. 

In an 11-count indictment, the DOJ alleged that LI Xiaoyu and DONG Jiazhi “conducted a hacking campaign lasting more than ten years to the present, targeting companies in countries with high technology industries, including the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom.” 

The Department said the hackers were trained in computer applications technologies at the same Chinese university. Both individuals were working for the Chinese government’s Ministry of State Security and for their own personal financial gain. 

Targeting sensitive information

The industries allegedly targeted by the pair included high tech manufacturing, medical devices, industrial engineering, business, pharmaceuticals, and defense, among others. The Justice Department said there was at least one instance in which the hackers attempted to extort cryptocurrency by threatening to release the victim’s stolen source code on the internet. 

More recently, the hackers “probed for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments,” the Department said. There is currently no indication that the hackers were successful in obtaining any COVID-19 research. 

The indictment comes in the same month that intelligence officials said Russian hackers had attempted to target organizations carrying out coronavirus vaccine research. The charges filed today are the first to formally accuse foreign hackers of targeting ongoing COVID-19 research in the U.S., according to the Associated Press. 

“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research,” John C. Demers, assistant attorney general for national security, said in a statement.

A Russian hacking group is reportedly targeting organizations carrying out research on a COVID-19 vaccine, according to intelligence agencies from the U.S., U.K., and Canada. 

In an advisory published Thursday by the UK National Cyber Security Centre (NCSC), security officials warned that a hacking group called APT29 (also called “the Dukes” or “Cozy Bear”) is targeting health care organizations in the three countries.

The group is using malware and spear-phishing attacks to try to steal coronavirus vaccine research. Officials didn’t say how much vaccine information the Russian group has stolen or how the group’s actions have impacted research efforts.

"APT29's campaign of malicious activity is ongoing, predominantly against government, diplomatic, think tank, healthcare and energy targets to steal valuable intellectual property," a press release on the advisory said.

History of hacking

The hacking group previously carried out a phishing attack on Hillary Clinton’s campaign chairman John Podesta in 2016. 

“APT29 has a long history of targeting governmental, diplomatic, think-tank, health care and energy organizations for intelligence gain, so we encourage everyone to take this threat seriously,” said Anne Neuberger, the National Security Agency’s cybersecurity director.

Dominic Raab, the U.K.’s foreign secretary, said it’s “completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic.”

“While others pursue their selfish interests with reckless behavior, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health,” Raab said in a statement, adding that the U.K. will "continue to counter those conducting such cyber attacks.” 

The NSA said it remains “steadfast in its commitment to protecting national security by collectively issuing this critical cybersecurity advisory as foreign actors continue to take advantage of the ongoing COVID-19 pandemic.” 

Following in Amazon’s footsteps, Wells Fargo has announced that it doesn’t want TikTok on its employees' work phones either. In a note to employees, the banking giant said the app must be removed from all company phones immediately due to privacy concerns. 

“We have identified a small number of Wells Fargo employees with corporate-owned devices who had installed the TikTok application on their device,” the company told The Information. 

“Due to concerns about TikTok’s privacy and security controls and practices, and because corporate-owned devices should be used for company business only, we have directed those employees to remove the app from their devices.”

Mere hours before Wells Fargo sent the email to its employees, Amazon sent out a similar message, warning that employees who didn’t uninstall the app from their work phones would no longer be able to access company email. 

TikTok, which is owned by China-based tech company Bytedance, has been under scrutiny lately. The Trump administration has threatened to have the app banned entirely amid concerns that the company could share data with the Chinese government. 

TikTok said it has never been asked to do that, and it added that it’s “committed to protecting users’ privacy and being transparent about how our app works.” 

National security risk?

Following Amazon’s decision last week, TikTok said it didn’t understand why the company decided to demand that employees remove the app but said it was willing to discuss the matter. 

“While Amazon did not communicate to us before sending their email, and we still do not understand their concerns, we welcome a dialogue so we can address any issues they may have and enable their team to continue participating in our community,” a spokesperson said in a statement. 

Mike Pompeo, the Secretary of State, told Fox News last week that the Trump administration is considering blocking some Chinese apps, including TikTok, calling them a risk to national security.

"With respect to Chinese apps on people's cell phones, I can assure you the United States will get this one right too. But, it is something we are looking at.”

Facebook has more egg on its face. Besides the bevy of advertisers pulling their ad dollars over the company’s stance on hateful content, the master spirit of social media has confessed that it erred in sharing the personal data of inactive accounts -- and for longer than it had the authority to do so.

In a blog post, Facebook’s Konstantinos Papamiltiadis, VP of Platform Partnerships, came clean about the mistake, saying that “in some instances” third-party apps collected data from inactive users past the 90-day window that Facebook’s Mark Zuckerberg committed to in the face of the Cambridge Analytics scandal.

What exactly happened

The example that Papamiltiadis used was if someone used a fitness app to invite their friends from their hometown to a workout. He said in an instance like that, Facebook didn’t recognize that some of the user’s friends may have been inactive for several months.

Papamiltiadis estimated that around 5,000 app developers continued to receive some sort of information -- like gender or the language spoken -- but that the company has yet to see any hard evidence that the issue went further than the permissions those inactive accounts originally gave when they signed up for the app.

“We fixed the issue the day after we found it. We’ll keep investigating and will continue to prioritize transparency around any major updates,” Papamiltiadis promised.

Going forward

Whether this is an incident error or an egregious one, Facebook quickly instituted new safeguards to keep this from happening again. 

Those new measures fall under a revision of Facebook’s Platform Terms and Developer Policies, which detail app developers' responsibility to safeguard data and respect people’s privacy when using its platform. Specifically, the company is putting limitations on the information developers can share with third parties without the explicit consent from a user. 

Papamiltiadis said that the updated policy should also strengthen data security requirements and spell out exactly when developers have to delete a user’s data.

Millions of Americans have been working from home since late March and are likely to continue doing so well into next year.

While the threat from scammers targeting individuals has been quick to emerge, a new IBM study has found a host of security issues resulting from this new trend that pose risks to corporations and consumers’ personal information.

At the office, employees usually work on highly secure networks with robust safety protocols. At home, the IBM study found employees are using their home WiFi and are often completing work on personal laptops.

‘Long-lasting reality’

Businesses and employees were thrust into the work-at-home world suddenly, with little to no time for planning. The study authors found that most of the employees now working from home had little to no experience doing so before the pandemic closed their offices.

The study authors worry that cybercriminals will have a much easier time breaching an employee’s home security network than they would breaking into a corporate network. They point out that customer service agents who worked in closely managed call centers are now managing sensitive customer data at home.

"Organizations need to use a risk-based approach with work-from-home models, then reassess and build from the ground up," said IBM’s Charles Henderson. "Working from home is going to be a long-lasting reality within many organizations, and the security assumptions we once relied on in our traditional offices may not be enough as our workforce transitions to new, less controlled surroundings."

Henderson says businesses need to be playing catch-up. IBM found that most employees now working from home are confident in their company's ability to keep personally identifiable information secure in this new environment. But 52 percent said they are using personal laptops to work at home, and 45 percent said they haven’t received any specific training.

Policy lapses

The study contains a virtual catalog of additional policy lapses that could expose business and consumer data. Specifically, the study found that:

• More than half of employees have not been provided with new guidelines on how to handle highly regulated data while working from home;

• More than 50 percent of respondents don't know of any new company policies related to customer data handling, password management, and other sensitive information;

• More than 50 percent of new work from home employees are using their own personal computers for business use, but 61 percent say their employer hasn't provided tools to properly secure those devices; and

• Sixty-six percent of employees have not been provided with new password management guidelines, which could be why 35 percent are still reusing passwords for business accounts.

While there have been no major data breaches reported since employees began working from home, the current trends are not encouraging. A recent analysis by researchers at cybersecurity company Tessian found just over half of home-bound employees are engaging in riskier behavior, such as using email to share sensitive files instead of more secure means of communication.