1. Home
  2. News
  3. Tech News
  4. Cybersecurity News

Cybersecurity News

Recent Articles

Newest
  • Newest
  • Oldest

SolarWinds hack bears similarities to tool used by Russian hackers

Researchers say the code deployed was similar to one used by a known Russian hacking group

Investigators said Monday that the hackers behind the global SolarWinds incident used computer code with links to known Russian spying tools, Reuters reports. 

It recently came to light that cyber criminals hacked SolarWinds to gain access to at least 18,000 government and private networks. It is believed that the cyberattackers’ goal was to collect intelligence. 

Now, researchers at Moscow-based cybersecurity company Kaspersky said the attackers deployed code that closely resembled malware associated with a Russian hacking group known as “Turla.” 

The way in which the SolarWinds hack was carried out had three notable similarities to a hacking tool called “Kazuar,” which is used by Turla, according to Costin Raiu, head of global research and analysis at Kaspersky.

Similarities were noted in how the hackers identified their victims and how they avoided being detected through the use of a specific formula to calculate periods with the viruses lying dormant. Additionally, both pieces of malware attempted to obscure their functions from security analysts.  

“One such finding could be dismissed,” Raiu said. “Two things definitely make me raise an eyebrow. Three is more than a coincidence.”

Connection likely

Raiu said the similarities point to the likelihood of a link between the two hacking tools, but they don’t necessarily imply that Turla played a role in the SolarWinds hack. He said there’s a possibility that the hackers behind the SolarWinds hack were merely inspired by Kazuar, or that they deliberately planted “false flags” in order to throw off investigators. 

Although Moscow has denied involvement in the hack, U.S. intelligence agencies have said that the hackers were “likely Russian in origin.” Security firms in the U.S. and other countries are continuing to investigate the incident in order to determine its full scope, and the Department of Justice has vowed to take serious action. 

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said last week. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

Investigators said Monday that the hackers behind the global SolarWinds incident used computer code with links to known Russian spying tools, Reuters repor...
Read lessRead more

Justice Department confirms that it was part of the SolarWinds hack

The agency calls the attack a major incident and vows to take serious action

After sitting on the news for almost two weeks, the U.S. Department of Justice (DOJ) has confirmed that its email systems fell prey to the same band of cyberattackers linked to the global SolarWinds incident that has affected government and private sector businesses.

"On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment,” DOJ spokesman Marc Raimondi said in a statement.

Raimondi went on to say that the number of affected email boxes was limited to around 3 percent and that the agency has no indication that any of its classified systems were impacted.

“A major incident”

According to a joint statement issued by the recently organized Cyber Unified Coordination Group -- which includes the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence, and the National Security Agency -- the hackers are “likely Russian in origin” and “responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.”

The group’s investigation is ongoing, and it’s possible they could turn up additional government victims. In the group’s estimation, the hackers’ goal appeared to be collecting intelligence, rather than anything destructive.

Nonetheless, the attack on the DOJ was serious enough that it’s vowing to take serious action.

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

After sitting on the news for almost two weeks, the U.S. Department of Justice (DOJ) has confirmed that its email systems fell prey to the same band of cyb...
Read lessRead more

President Trump bans WeChat Pay and several other Chinese apps

The Trump administration says the apps raise national security concerns

President Trump has signed an executive order banning several Chinese payment apps, including Alipay and WeChat Pay. 

A senior administration official said the order, which was signed late in the day on Tuesday, aims to keep American user data from being shared with the Chinese government. The Trump administration cited the possibility that the apps mentioned in the order could be used as a “mass tool for global oppression.”

"The United States must take aggressive action against those who develop or control Chinese connected software applications to protect our national security," the order said.

In total, eight Chinese apps are banned under the order: Tencent QQ, CamScanner, SHAREit, VMate, WPS Office, QQ Wallet, Alipay, and WeChat Pay. 

National security concerns

The U.S. government has concluded that the apps named in the order automatically capture “sensitive personally identifiable... and private information” from millions of users in the United States.” President Trump is concerned that the apps could be used to track and build dossiers of personal information on federal employees.

“At this time, action must be taken to address the threat posed by these Chinese connected software applications,” Trump wrote. 

The order will take effect after 45 days, which leaves open the possibility that President-elect Joe Biden will revoke it. The incoming presidential administration has yet to say how it plans to handle the order. 

The Trump administration has previously attempted to ban Chinese-based apps like TikTok and WeChat over national security concerns. Both attempts were unsuccessful. 

In 2019, the administration launched a trade war against Beijing and blacklisted Huawei Technologies, ZTE, and Chinese firms over national security concerns. The Federal Communications Commission (FCC) has designated Huawei and ZTE as national security threats, but both companies have denied that they share data with the Chinese government.

President Trump has signed an executive order banning several Chinese payment apps, including Alipay and WeChat Pay. A senior administration official s...
Read lessRead more

T-Mobile admits to its fourth data breach in three years

Customers were much luckier this time than they have been in the past

T-Mobile’s cybersecurity team is once again being put to the test. On Monday, the phone carrier announced that it experienced its fourth data breach in three years. 

The company did not say what portion of its nearly 100 million user accounts were at risk, but it did confirm that the data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax IDs, passwords, or PINs.

“Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account,” said Matt Staneff, the Chief Marketing Officer of T-Mobile USA.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”

What happened?

In a letter to customers, Staneff said T-Mobile’s cybersecurity team detected -- then shut down -- “malicious, unauthorized access” to “some” information related to T-Mobile accounts. Staneff qualified “some” as customer proprietary network information (CPNI). Collecting CPNI data is a permission given to phone companies by the Federal Communications Commission (FCC) and typically includes call information like the date, duration of the call, the phone number called, and the type of network a consumer subscribes to -- in short, the type of information that appears on a customer's phone bill.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers,” Staneff said.

T-Mobile users weren’t so lucky in March 2020 when a data breach allowed hackers to gain access to T-Mobile employee email accounts. That, in turn, opened up access to customers’ names, addresses, Social Security numbers, financial account information, phone numbers, billing and account information, and rate plans. 

T-Mobile offers to answer any questions

Staneff said the company is ready to answer additional questions if a customer wants further details. Customers can either contact the company online, ask questions at one of the company’s stores, or go through the customer service team at 1-800-937-8997. 

“We are sorry for any inconvenience this may cause you. We take the security of customer information seriously and, while we have a number of safeguards in place to protect customer information from unauthorized access, we will continue to work to further enhance security so we can mitigate this type of activity,” Staneff promised.

T-Mobile’s cybersecurity team is once again being put to the test. On Monday, the phone carrier announced that it experienced its fourth data breach in thr...
Read lessRead more

Microsoft says at least 40 organizations were targeted in massive cyber breach

The company says the list of victims is likely to keep growing

In a blog post on Thursday, Microsoft said it identified more than 40 organizations that were targeted by attackers using “sophisticated measures.”

Most victims of the attack (80 percent) were located in the U.S. The other targeted groups were spread across seven other countries: Canada, Mexico, Belgium, Spain, the U.K., Israel, and the United Arab Emirates. Microsoft said it has started working with the groups identified as victims. 

Those affected were running problematic versions of a third-party software platform called SolarWinds Orion. Hackers were able to escalate intrusions with additional, second-stage payloads. Microsoft said it discovered the intrusions using data from its Microsoft Defender antivirus product, which is built into all Windows installations.

"It's a certainty that the number and location of victims will keep growing," said Microsoft President Brad Smith. 

Microsoft targeted

Microsoft itself was among those targeted by hackers, but the company denied claims that its production systems were compromised or that the attack affected its business customers and end-users. 

"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed," the statement said.

Microsoft said the attack “represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them.” 

The company said the attack is being “actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft." Smith said it’s become clear that stronger international rules are needed to help prevent future attacks of this magnitude. 

“The defense of democracy requires that governments and technology companies work together in new and important ways – to share information, strengthen defenses and respond to attacks,” he wrote. “As we put 2020 behind us, the new year provides a new opportunity to move forward on all these fronts.” 

In a blog post on Thursday, Microsoft said it identified more than 40 organizations that were targeted by attackers using “sophisticated measures.”Most...
Read lessRead more

Security researchers find malicious code in 28 Chrome and Edge extensions

Over three million users are advised to disable or uninstall the extensions right away

More than three million Google Chrome and Microsoft Edge users are believed to have installed extensions that contain malicious code, according to security firm Avast. 

Avast researchers said users who installed one of 28 third-party extensions containing hidden malicious JavaScript could be at risk of data theft and phishing attacks. 

The extensions in question are primarily designed to help users download multimedia content from social networks including Facebook, Instagram, Vimeo, or Spotify. But Avast said users could end up being redirected to a site where the attacker gets paid for user visits. In other cases, users could end up on phishing sites. 

“Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit,” the security firm explained.

Names of extensions

Avast said it found evidence that some of the malicious extensions had been active since at least December 2018. The researchers discovered the code hidden in the apps last month and reported their findings to Google and Microsoft. 

Both companies have said they are investigating the extensions. In the meantime, Avast has recommended that users disable or uninstall the extensions. 

Here is the list of Chrome extensions that contain malicious code, according to Avast: 

  • Direct Message for Instagram

  • DM for Instagram

  • Invisible mode for Instagram Direct Message

  • Downloader for Instagram

  • App Phone for Instagram

  • Stories for Instagram

  • Universal Video Downloader

  • Video Downloader for FaceBook™

  • Vimeo™ Video Downloader

  • Zoomer for Instagram and FaceBook

  • VK UnBlock. Works fast.

  • Odnoklassniki UnBlock. Works quickly.

  • Upload photo to Instagram™

  • Spotify Music Downloader

  • The New York Times News

Avast said the following Edge extensions contain malicious code: 

  • Direct Message for Instagram™

  • Instagram Download Video & Image

  • App Phone for Instagram

  • Universal Video Downloader

  • Video Downloader for FaceBook™

  • Vimeo™ Video Downloader

  • Volume Controller

  • Stories for Instagram

  • Upload photo to Instagram™

  • Pretty Kitty, The Cat Pet

  • Video Downloader for YouTube

  • SoundCloud Music Downloader

  • Instagram App with Direct Message DM

More than three million Google Chrome and Microsoft Edge users are believed to have installed extensions that contain malicious code, according to security...
Read lessRead more

Facebook takes out full-page ads to slam Apple’s upcoming privacy changes

The social media giant claims Apple’s update threatens millions of small businesses

It looks like Facebook has unfriended Apple. On Wednesday, the social media platform took out full-page ads in the New York Times, Washington Post, and Wall Street Journal to denounce Apple’s upcoming iOS privacy changes. Facebook claims that it’s “standing up to Apple for small businesses everywhere.”

The barrel of ink Facebook is throwing Apple’s way is supposedly related to Apple’s iOS 14 privacy changes, which will require app developers like Facebook to “provide information about some of your app’s data collection practices on your product page.” The change will also require Facebook to “ask users for their permission to track them across apps and websites owned by other companies.”

Facebook comes out swinging

Facebook didn’t come right out and say it, but Apple’s disclosure shift will impact Facebook’s ad business, especially its ad network for developers and businesses if end users opt out of being tracked.

In the ad, Facebook maintains that Apple’s changes will be “devastating to small businesses” that rely on its ad network to leverage clicks and sales. The newspaper ads that Facebook took out ask small businesses to check out the platform’s “speak up for small business” site that features a series of business owners speaking out on Apple’s changes. Some of those comments are pretty shaming -- things like “This is going to affect me and my family,” and “We could lose our business.”

While Apple has yet to publicly respond to Facebook’s ads, the company did respond to similar Facebook claims in November, accusing Facebook of a “disregard for user privacy.” Apple is steadfast in its position that the upcoming privacy policies will be enforced when they go into effect in early 2021. The company said it is “committed to ensuring users can choose whether or not they allow an app to track them.”

Facebook’s call for support

Facebook said it hopes the Direct Marketing Association (DMA) will also set boundaries for Apple. 

“Apple controls an entire ecosystem from device to app store and apps, and uses this power to harm developers and consumers, as well as large platforms like Facebook,” a Facebook spokesperson said in a statement to CNBC. “

If Facebook’s game is to play two ends against the middle, maybe it should have first asked the DMA if it had its back. “We respect your privacy – and so do our members,” is the organization’s promise to consumers.” (Our Association of National Advertisers) ensures that consumers have choices about unwanted marketing offers. Our members honor consumers who don’t want to be contacted. You have choices about the type of marketing you receive.”

It looks like Facebook has unfriended Apple. On Wednesday, the social media platform took out full-page ads in the New York Times, Washington Post, and Wal...
Read lessRead more

FTC demands that social media giants come clean about user data collection

One commissioner is crying foul because the agency left off other social media companies like Apple and LinkedIn

The Federal Trade Commission (FTC) turned up the heat on the social media big wigs on Monday. In a new mandate, the Commission will now require nine tech firms to disclose exactly how they collect and use data from their users.

Called on the carpet are the usual suspects -- Amazon, Facebook, and Twitter -- along with Google’s YouTube, TikTok’s owner ByteDance, Discord, Facebook’s WhatsApp, Reddit, and Snap. The companies have until January 28, 2021 to respond.

What is the FTC looking for?

Specifically, the FTC is leveraging Section 6(b) of the FTC Act, which gives it the authority to ask about how the companies “compile data concerning the privacy policies, procedures, and practices of [such] providers, including the method and manner in which they collect, use, store, and disclose information about users and their devices.”

Moving past the legalese, the FTC said that what it’s trying to ascertain is really more consumer-oriented. The questions it wants answered are:

  • “How social media and video streaming services collect, use, track, estimate, or derive personal and demographic information;

  • How they determine which ads and other content are shown to consumers;

  • Whether they apply algorithms or data analytics to personal information;

  • How they measure, promote, and research user engagement; and

  • How their practices affect children and teens.”

The commissioners weigh in

After making their demands, the FTC commissioners said that the agency is seeking more information in the best interest of consumers.

“Never before has there been an industry capable of surveilling and monetizing so much of our personal lives. Social media and video streaming companies now follow users everywhere through apps on their always-present mobile devices,” Commissioners Rohit Chopra, Rebecca Kelly Slaughter, and Christine S. Wilson said in a statement. 

“This constant access allows these firms to monitor where users go, the people with whom they interact, and what they are doing. But to what end? Is this surveillance used to build psychological profiles of users? Predict their behavior? Manipulate experiences to generate ad sales? Promote content to capture attention or shape discourse? Too much about the industry remains dangerously opaque.”

Commissioner Noah Joshua Phillips was the dissenting vote among the commissioners, saying that the move was an “undisciplined foray into a wide variety of topics.” He called his peers out for omitting other companies engaged in business practices similar to the nine companies named. Phillips asked why Apple, Gab, GroupMe, LinkedIn, Parler, Rumble, Tumblr, and WeChat weren’t also named. He answered his own question rather snarkily. 

“The only plausible benefit to drawing the lines the Commission has is targeting a number of high profile companies and, by limiting the number to nine, avoiding the review process required under the Paperwork Reduction Act...which is not triggered if fewer than ten entities are subject to request.”

The Federal Trade Commission (FTC) turned up the heat on the social media big wigs on Monday. In a new mandate, the Commission will now require nine tech f...
Read lessRead more

Russian hackers accused of hacking into government and private sector businesses again

Microsoft says that its user base and systems are safe

Russian hackers, believed to be working on behalf of the Kremlin, were apparently behind an attack into computer systems at the departments of the U.S. Treasury and Commerce that may have gone on for months before being detected. To make matters worse, people familiar with the matter feel that this situation just may be the tip of the iceberg.

According to U.S. officials and a report by National Public Radio (NPR), the Russian hackers broke into the email systems at those two government departments, and it was so consequential that it led to a National Security Council meeting at the White House on Saturday, one of the people familiar with the matter told Reuters.

It may not come to anyone’s surprise that Russia denies any involvement. The Russian foreign ministry took to Facebook to say the allegations were nothing more than another “unfounded attempt” by the American media to blame Russia for cyberattacks directed at U.S. agencies.”

Malicious actors

In the Department of Homeland Security’s response to the “known compromise,” it said that the hack involved SolarWinds Orion network monitoring products being exploited by malicious actors.

“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners -- in the public and private sectors -- to assess their exposure to this compromise and to secure their networks against any exploitation,” the DHS’ Cybersecurity and Infrastructure Security Agency said in a statement.

The Commerce Department and the National Security Council both confirmed the breach, but the agencies didn’t give any extra information about the extent of the hack or the measures that have been taken to secure the email accounts.

The private sector is also in danger

In addition to the government breaches, the hackers also wormed their way into the computer system bowels of private companies. 

More than 400 of the U.S. Fortune 500 companies use SolarWinds products, according to KrebsOnSecurity. That list includes all branches of the military, as well as all ten of the Top 10 communications companies, all five of the Top 5 accounting firms, and hundreds of colleges.

Security firm FireEye, which also happened to be hit by the hack, said cyber criminals inserted malware into SolarWinds updates that “(went) to significant lengths to observe and blend into normal network activity.” It also concluded that the breach is a “global campaign” and had confirmed intrusions in North America, Europe, Asia, and the Middle East. 

In a blog post late Sunday, Microsoft echoed FireEye’s assessment, saying that it believes the hack represents “nation-state activity at significant scale, aimed at both the government and private sector." The company also had words for its own users.

“We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations. As part of our ongoing threat research, we monitor for new indicators that could signal attacker activity,” the company said.

Russian hackers, believed to be working on behalf of the Kremlin, were apparently behind an attack into computer systems at the departments of the U.S. Tre...
Read lessRead more

Cybersecurity firm FireEye suffers major cyber attack

Russian hackers are reportedly being investigated as the likely culprit

FireEye, one of the nation’s leading cybersecurity firms, has shared details of a hack targeting its “Red Team” tools, which it uses to test customers’ security. The firm said there is concern that the hackers could publicly release the tools they accessed or use them to carry out other attacks. 

In a blog post, FireEye CEO Kevin Mandia said the attack was “different from the tens of thousands of incidents we have responded to throughout the years.” 

“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus,” Mandia wrote. “They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.” 

Russia reportedly a suspect

FireEye said it doesn’t currently have evidence that any customer information was taken. 

Although the company didn’t say in its report who it believes is responsible for the attack, the Wall Street Journal reported that state-sponsored Russian hackers are a likely suspect. A source familiar with the matter told the Journal that Russia is currently being viewed by investigators as “the most likely culprit.” 

“Moscow’s foreign-intelligence service, known as the SVR and one of two Russian groups that hacked the Democratic National Committee ahead of the 2016 presidential election, is believed to be responsible, the person said,” according to the Journal. 

FireEye didn’t specify when the hack took place or when it became aware of it. The hack is currently being investigated by FireEye, as well as the FBI and industry partners like Microsoft.

Since becoming aware of the attack, FireEye said it’s developed hundreds of countermeasures that can detect or block the use of any of its stolen tools. The firm said it has integrated the measures into its own security products and shared them with “colleagues in the security community.” 

FireEye said it will “continue to share and refine any additional mitigations for the Red Team tools as they become available.” 

FireEye, one of the nation’s leading cybersecurity firms, has shared details of a hack targeting its “Red Team” tools, which it uses to test customers’ sec...
Read lessRead more

Google researcher demonstrates serious iPhone security flaw

A since-fixed vulnerability could have given an attacker complete access to an iPhone within Wi-Fi range

A Google researcher has demonstrated an Apple security vulnerability that could have allowed hackers to gain full access to a person’s iPhone. A cyberattacker could have exploited the flaw without having the user download malware or click on a suspicious link. To fall victim, a user would have only had to be within Wi-Fi range. 

Ian Beer -- a security researcher with Google’s Project Zero -- explained in a video this week that it was possible for a Raspberry Pi setup with off-the-shelf Wi-Fi adapters to steal photos from an iPhone in a different room in a matter of minutes. The same security vulnerability also allowed Beer to repeatedly reboot 26 iPhones at the same time. 

Apple fixed the vulnerability in May, but Beer said he spent six months looking into the issue.

"Imagine the sense of power an attacker with such a capability must feel," Beer said in a blog post. "As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target."

Full access to a device

Through his extensive research, Beer found a “wormable radio-proximity exploit” that allowed him to gain “complete control over any iPhone in my vicinity.” He said he was able to view phones, read emails, copy private messages, and monitor everything that happens on a device in real-time. 

“The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine,” he wrote. “Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.”

Beer said he hadn’t seen any evidence that the flaw was exploited prior to being fixed, but he said consumers can never be too careful when it comes to the security of their mobile devices. Issues like these are likely to surface again. 

"As things stand now in November 2020, I believe it's still quite possible for a motivated attacker with just one vulnerability to build a sufficiently powerful weird machine to completely, remotely compromise top-of-the-range iPhones," Beer said.

A Google researcher has demonstrated an Apple security vulnerability that could have allowed hackers to gain full access to a person’s iPhone. A cyberattac...
Read lessRead more

Hacker sells email credentials of ‘hundreds’ of high level executives

Stolen account credentials are being sold for $100 to $1500 each

A hacker is reportedly selling access to email accounts belonging to “hundreds” of high level executives across the world. The accounts are going for $100 to $1500 each, depending on the value of each account. The targets include CEOs, vice presidents, and directors. 

The email and password combinations are being sold on a “closed-access underground forum for Russian-speaking hackers named Exploit.in,” according to ZDNet. The seller did not disclose how he obtained the login credentials, but he claimed to have hundreds of additional accounts to sell. 

ZDNet said a cybersecurity source has confirmed the validity of the stolen data. That source has begun the process of notifying all the affected companies. 

Scam potential 

If corporate executive login credentials fall into the wrong hands, both the executives and their workers could be affected. Cybercriminals can use compromised corporate email credentials for a variety of money-making schemes, KELA Product Manager Raveed Laeb explained to ZDNet. 

"Attackers can use them for internal communications as part of a 'CEO scam' - where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme,” Laeb said.

Stolen login credentials can also be “exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion," Laeb added.

To reduce the likelihood of such events unfolding, cybersecurity experts highly recommend using two-step verification or two-factor authentication for online accounts. Attackers won’t be able to do anything with stolen login details in cases where the user has set up 2SV or 2FA. 

A hacker is reportedly selling access to email accounts belonging to “hundreds” of high level executives across the world. The accounts are going for $100...
Read lessRead more

‘Password’ and ‘123456’ top list of worst passwords in 2020

Experts say these weak passwords have been cracked millions of times by hackers

Password manager NordPass has released its annual list of the worst passwords, and 2020’s list includes many of the same weak passwords as years prior. 

Consumers are still protecting their data with simple passwords that are infamous for being easy to crack, according to this year’s list. For example, NordPass found that millions of people are still using “password" and “123456” as passwords. The firm said the latter has been breached more than 23 million times. 

Many people may choose variations of the number bar because it’s quick and easy to type, but research has found that these frequently used passwords take less than a second to crack. Combinations of adjacent keys, such as “asdfghjkl” or “qwertyuiop,” have also been found to be highly vulnerable to cracking. 

Worst passwords of 2020

NordPass’s full list contains 200 of the most commonly used passwords, ranked by metrics such as how many times each password has been exposed and how long it would take an unauthorized party to crack it. 

Below are the top 20 worst passwords of the year. 

  • 123456

  • 123456789

  • picture1

  • password

  • 12345678

  • 111111

  • 123123

  • 12345

  • 1234567890

  • senha

  • 1234567

  • qwerty

  • abc123

  • Million2

  • 000000

  • 1234

  • iloveyou

  • aaron431

  • password1

  • qqww1122

Protecting your data

To keep sensitive data from being exposed, NordPass recommends making sure all passwords are unique and complex. This can be made easier through the use of a password manager or a third-party service like LastPass or Apple’s iCloud Keychain. 

NordPass also suggests enabling two-factor authentication when possible and deleting any old or inactive accounts. 

Password manager NordPass has released its annual list of the worst passwords, and 2020’s list includes many of the same weak passwords as years prior....
Read lessRead more

Microsoft says Russian and North Korean hackers attacked COVID-19 vaccine makers

The company says most of the attacks were throttled by its own security software

In all the hoopla regarding new vaccine test success from Moderna and Pfizer, Microsoft has uncovered a series of cyber attacks coming from Russia and North Korea targeted at research companies doing those tests.

In a blog post, Microsoft says the attacks targeted seven major pharmaceutical companies and researchers in Canada, France, India, and South Korea, and the U.S. Microsoft didn’t say which companies were targeted or what type of information may have actually been compromised or stolen, but officials said they had notified the organizations and offered help where the attacks were successful.

“Two global issues will help shape people’s memories of this time in history – COVID-19 and the increased use of the internet by malign actors to disrupt society. It’s disturbing that these challenges have now merged as cyberattacks are being used to disrupt health care organizations fighting the pandemic,” wrote Microsoft’s Tom Burt, Corporate Vice President, Customer Security & Trust.

“We think these attacks are unconscionable and should be condemned by all civilized society. Today, we’re sharing more about the attacks we’ve seen most recently and are urging governments to act.”

The attacks and the protection

There are actually three key players in the attacks: “Strontium,” an actor originating from Russia, and two actors originating from North Korea that Microsoft has dubbed “Zinc” and “Cerium.”

Strontium uses “password spray” and brute force login attempts to steal personal login credentials. The software it uses conducts millions of rapid attempts to crack a third-party’s personal data. Zinc’s game is to use spear-phishing lures for credential theft by sending messages with fabricated job descriptions pretending to be recruiters. And Cerium? The angle it works is spear-phishing with email lures using COVID-19 themes while masquerading as World Health Organization representatives. 

Luckily, Burt says the “majority” of the attacks have been blocked by security protections built into the company’s products. The company is continuing to make its threat notification service, “AccountGuard,” available for free to health care and human rights organizations working on COVID-19. 

The company says that 195 health care-related groups have enrolled in the service, and it now protects 1.7 million email accounts that those organizations serve.

In all the hoopla regarding new vaccine test success from Moderna and Pfizer, Microsoft has uncovered a series of cyber attacks coming from Russia and Nort...
Read lessRead more

Microsoft urges users to stop using phone-based multi-factor authentication

A company executive says app-based authentication is more secure

A Microsoft executive is urging users to move away from phone-based multi-factor authentication (MFA) mechanisms and instead embrace newer security technologies, like app-based authenticators and security keys.

In a blog post, Alex Weinert, Director of Identity Security at Microsoft, said app-based two-factor authentication provides greater security.

Weinert said telephone-based multi-factor authentication (MFA) solutions -- like one-time codes sent via SMS and voice calls -- are “based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.” 

“That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages,” he said. “Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.” 

MFA is ‘essential’

In 2019, Weinert penned a blog post in which he said that internal Microsoft statistics showed that users who enabled MFA blocked around 99.9 percent of automated attacks against their Microsoft accounts. 

In a follow up blog post earlier this week, he stressed that MFA itself is essential -- but the way people use it should change. If users have to choose between multiple MFA mechanisms, he said they should avoid phone-based MFA which can be intercepted by attackers. 

Weinert said a good place to start is by using Microsoft’s Authenticator MFA app. For even greater security, hardware security keys can be used. 

A Microsoft executive is urging users to move away from phone-based multi-factor authentication (MFA) mechanisms and instead embrace newer security technol...
Read lessRead more

FTC requires Zoom to enhance its security practices in new settlement

The company was accused of following deceptive and unfair practices

The Federal Trade Commission (FTC) announced a settlement with video conferencing platform Zoom on Monday that will require the company to implement a sturdier information security program. The FTC alleged that Zoom engaged in a series of “deceptive and unfair practices” that essentially undermined the security of its users.

The FTC’s complaint dates back to 2016 when the agency alleged that Zoom deceived users by falsely promising that it offered “end-to-end, 256-bit encryption” to secure users’ communications. Regulators said the falsehood created the possibility that other people (including Zoom) could read a user’s content. 

In the FTC’s eyes, Zoom also erroneously told users who wanted to store recorded meetings on the company’s cloud storage that those meetings were encrypted immediately after their meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.

Enter COVID-19

The matter was complicated further during the COVID-19 pandemic. Zoom’s reach skyrocketed from 10 million in December 2019 to 300 million in April 2020, putting even more users’ privacy at risk. 

Earlier this summer, the company attempted to soften the FTC’s angst by improving its security for all users versus only its paying subscribers, but those actions seemingly weren’t enough to appease regulators.

“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

What changes Zoom users will see

The FTC’s laundry list of changes that Zoom users are supposed to see thanks to the settlement include:

  • The annual assessment and documentation of any potential internal and external security risks and develop ways to safeguard against such risks;

  • Implementation of a vulnerability management program; and

  • Deployment of safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and taking steps to prevent the use of known compromised user credentials.

The FTC didn’t stop there, though. On top of those three key changes, Zoom agreed to review any software updates for potential security flaws and must ensure that software updates will not hamper third-party security features. The company has also agreed not misrepresent to the public its collection and use of personal information, and it will have an assessment of security program made by an independent third party every other year.

The Federal Trade Commission (FTC) announced a settlement with video conferencing platform Zoom on Monday that will require the company to implement a stur...
Read lessRead more

Platform used by Hotels.com and Expedia leaks data of ‘millions’ of guests

Security researchers don’t know whether the data has already been found by a cybercriminal

The hotel reservation firm Prestige Software has exposed the data of millions of guests worldwide, Website Planet reports

Prestige Software -- a platform that enables hotels to automate their availability on booking websites like Expedia and Booking.com -- reportedly stored files dating as far back as 2013 without any protection in place. 

Exposed information included names, credit card details, ID numbers, and reservation details. In some cases, logs contained personally identifiable information for multiple members included in a single booking.

No evidence of third party access 

At this time, it’s not known how long the trove of data was left unsecured or if any third parties accessed it. If the data was found by a cybercriminal, the party could steal identities, carry out phishing scams, or even hijack a reservation.

“Millions of people were potentially exposed in the data breach, from all over the world. We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” said researcher Mark Holden. “So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”

Website Planet said the firm quickly fixed the vulnerability after being alerted to the issue. 

Holden said that due to the sheer number of hotel and travel websites involved in the breach, it’s “impossible to help anyone already exposed if somebody found the data before us.” Clients of Prestige Software include Booking.com, Expedia, Hotels.com, and many others. 

“If you’re a customer of any of the websites listed in this report and are concerned about how this leak might impact you, contact the company directly to determine what steps it’s taking to protect your data,” Website Planet said.

The hotel reservation firm Prestige Software has exposed the data of millions of guests worldwide, Website Planet reports. Prestige Software -- a platf...
Read lessRead more

DOJ announces the largest seizure of cryptocurrency ever

The U.S. government continues to get smarter at tracking down illegal cyber activity

The U.S. government has taken control of $1 billion in bitcoin from the now-defunct online black market Silk Road. The capture represents the largest cryptocurrency seizure to date.

Silk Road ranks as the most infamous online criminal marketplace of its day, but the Department of Justice (DOJ) brought it to its knees in 2015 when it successfully prosecuted its founder, Ross Ulbricht, on seven counts that included unlawfully facilitating the sale of illegal drugs and money laundering. 

By the time Silk Road was brought to justice, it had reportedly generated sales revenue totaling over 9.5 million bitcoins. Commissions from these sales totalled over 600,000 bitcoins, which presumably went right into Ulbricht’s pockets.

Follow the money

This is where the story gets interesting. Before Ulbricht was sent off to prison, he sheltered a billion in bitcoins in a digital wallet and did his best to tuck away the wallet where it would be hard to find.

Someone referred to as “Individual X” supposedly hacked the Silk Road’s payments system some time in either 2012 or 2013. The DOJ says that Ulbricht “threatened Individual X for the return of the cryptocurrency,” but the mysterious hacker refused. 

Enter the DOJ and the Washington DC Cyber Crimes Unit. The group -- which is tasked with virtual currency transactions -- used a third-party bitcoin tracing company to analyze bitcoin transactions carried out by Silk Road and was able to identify 54 previously undetected transactions executed by the platform. An analysis showed that all of those transactions appeared to represent all proceeds of unlawful activity stolen from Silk Road.

The DOJ continued its hunt, and it cornered Individual X on November 3, 2020. The anonymous hacker agreed to hand over the stolen bitcoin and transfer it to the government's hands. The DOJ is mum on whether Individual X was arrested, cut a plea bargain, or even how their cooperation was attained.

“Criminal proceeds should not remain in the hands of the thieves,” IRS-CI Special Agent in Charge Kelly R. Jackson said in a statement. “The Washington DC Cyber Crimes Unit is uniquely specialized in tracing virtual currency transactions and we will continue to hone our skills to combat illegal activity.”

The U.S. government has taken control of $1 billion in bitcoin from the now-defunct online black market Silk Road. The capture represents the largest crypt...
Read lessRead more

Online community for marijuana growers suffers data breach

GrowDiaries users are urged to change their passwords

GrowDiaries, an online community of marijuana growers, has suffered a major data breach. 

Security researcher Bob Diachenko reported that GrowDiaries left two of its Kibana apps -- an open-source analytics and visualization platform normally used by a company’s development and IT staff -- exposed online without administrative passwords since September 22, 2020. 

One of the unsecured Kibana apps led to the exposure of sensitive information belonging to 1.4 million users of the site. Information exposed included passwords, email addresses, and IP addresses. The other database exposed user articles posted on the GrowDiaries site, as well as users’ account passwords. 

Diachenko said he discovered the unprotected database on October 10. 

“It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords,” he wrote. “The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.” 

GrowDiaries secured its server less than a week after Diachenko notified site administrators of the issue. Although the site has been secured, GrowDiaries users are still urged to change their passwords just in case their old password was exposed. 

Diachenko said he couldn’t say for sure if any other third-parties accessed the data while it was unsecured, but it “seems likely.” 

GrowDiaries, an online community of marijuana growers, has suffered a major data breach. Security researcher Bob Diachenko reported that GrowDiaries le...
Read lessRead more

Hospital information systems hit by new wave of ransomware attacks

The FBI is urging health care providers to take additional precautions to secure their networks

The Federal Bureau of Investigation (FBI) has warned that hospital information systems have been hit by coordinated ransomware attacks, which could possibly lead to disruptions in patient care. 

In a joint advisory on Wednesday, the FBI and two other federal agencies said malicious groups have levied several data-scrambling extortion attempts against hospitals and healthcare providers over the past few weeks. 

Officials said they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The attacks could lead to “data theft and disruption of healthcare services,” the agencies said. 

Attack on health care system

The warning coincides with an uptick in the number of COVID-19 infections nationwide. On Monday, an analysis of data from Johns Hopkins University showed 69,967 new COVID-19 cases in the U.S. In just the last week, the seven-day average of new cases has risen 20 percent.

Officials said the targeted ransomware attacks will likely create issues that will be “particularly challenging for organizations within the COVID-19 pandemic.” Institutions are urged to take precautions to protect their networks. Recommended precautions include regularly updating software, backing up data, and monitoring who is accessing their systems. 

In September, cyber attackers launched a highly coordinated ransomware attack on a major U.S. hospital chain. The incident forced some hospital employees to revert to using pen and paper to file patient information. 

In the most recent wave of attacks on hospital networks, malicious groups are using Ryuk ransomware -- software used to encrypt and secure files. The attackers are using the Trickbot network of infected computers to gain access to data, disrupt health care services and demand money from health care facilities in order to decrypt the files. 

The Federal Bureau of Investigation (FBI) has warned that hospital information systems have been hit by coordinated ransomware attacks, which could possibl...
Read lessRead more

Study finds most banks lack digital identity verification

FICO researchers found most require in-person visits to a branch

During the coronavirus (COVID-19) pandemic, more consumers than ever are using online banking. Yet a new survey shows banks in the U.S. and Canada are struggling to implement practices that combat online identity fraud and money laundering, without turning off their customers.

In an age of digital banking, the survey found that just over half of North American banks are still requiring customers to prove their identities by visiting branches or posting documents when opening digital accounts. 

The survey found the same situation in 25 percent of mortgages or home loans and 15 percent of credit cards opened online.

Rethinking their approach

"The pandemic has forced industries to fully embrace digital,” said Liz Lasher, vice president of portfolio marketing for Fraud at FICO, which commissioned the survey. “We now are seeing North American banks that relied on face-to-face interactions to prove customers' identities rethinking how to adapt to the digital-first economy."  

Andrew, of Scottsdale, Ariz., recently had this experience. In a post on ConsumerAffairs, Andrew told us that a fraud alert resulted in his Chase bank account being locked.

“I simply called their security department and was told it was closed out due to bank identity and that I would have to go into a branch and show 2 forms of ID's,” Andrew wrote in his post. 

Banks everywhere have instituted new procedures when fraud is suspected, a necessary measure considering the exponential growth of the crime. But Lasher says all banks should consider making the process as user-friendly as possible because it’s good for business in the long run.

"Today's consumers expect a seamless and secure online experience, and banks need to be equipped to meet those expectations,” she said. “Engaging valuable new customers, then having them abandon applications when identity proofing becomes expensive and difficult."

Slow to embrace digital verification

The study found that only 16 percent of North American banks use the type of fully integrated, real-time digital capture and validation tools that FICO says are required for consumers to securely open a financial account online. 

Some banks have adopted some form of digital verification, but the study found that in most cases, the experience “still raises barriers,” with customers expected to use email or visit an "identity portal" to verify their identities.

The authors suggest that banks create a “frictionless process” that will meet consumers' expectations. Failing to do so could lead to a loss of business.

According to FICO's recent Consumer Digital Banking study, 75 percent of customers said they would open a bank account online, but 23 percent of them would give up and go somewhere else if they faced a difficult or inconvenient identity verification process.

Three-quarters of the banks in the study told FICO they plan to invest in an identity management platform within the next three years.  

During the coronavirus (COVID-19) pandemic, more consumers than ever are using online banking. Yet a new survey shows banks in the U.S. and Canada are stru...
Read lessRead more

Dickey’s BBQ data breach compromises millions of credit card records

Customers are being warned to watch out for suspicious charges

More than 100 Dickey’s Barbeque Restaurants across the U.S. were involved in a data breach that spanned more than a year. 

KrebsOnSecurity reported that one of the dark web’s most popular stores for selling stolen credit card information was offering card numbers belonging to customers of Dickey’s Barbeque Restaurants. 

Around three million new credit card records were being offered this week on a dark web carding site called “Jokers Stash.” Security researchers at Gemini Advisory initially discovered the stolen credit card numbers for sale on the dark web marketplace. 

Long-running breach

Gemini said its analysis found that 156 of the eatery’s 469 locations across 30 states were compromised. The largest percentage of stolen numbers were from California and Arizona. The data was accessed between July 2019 and August 2020, the researchers said. 

“Given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations,” researchers said in a blog post.

Report suspicious charges

In a statement, the barbeque franchise said it’s aware of the safety incident and that it’s currently investigating its scope.

“We obtained a report indicating [that a] cost card safety incident might have occurred. We’re taking this incident very significantly and instantly initiated our response protocol and an investigation is underway. We’re presently centered on figuring out the places affected and time frames concerned,” Dickey’s said.

Consumers who have visited Dickey’s Barbeque in the past year are urged to monitor their bank accounts and credit card transactions and report any fraudulent or suspicious charges to their financial institution as soon as possible. 

More than 100 Dickey’s Barbeque Restaurants across the U.S. were involved in a data breach that spanned more than a year. KrebsOnSecurity reported that...
Read lessRead more

Barnes & Noble says cybersecurity attack may have compromised customer information

The breach affected its corporate systems and Nook platform

Barnes & Noble has disclosed that it was recently the victim of a cybersecurity attack, leading to "unauthorized and unlawful access to certain Barnes & Noble corporate systems."

In emails sent to customers, the bookseller said the personal data of some customers may have been accessed during the breach. The potentially exposed information includes customer email addresses, billing and shipping addresses, telephone numbers, and transaction histories. 

"It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems,” Barnes & Noble said in the email. "We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility.”

Barnes & Noble stressed that no financial data -- which it stores "encrypted and tokenized" for security purposes -- was taken or available to the hackers. However, the company warned that leaked email addresses could be used to carry out phishing campaigns. 

Nook platform affected

Nook Digital, the company’s eBook and e-Reader platform, was also affected by the breach. Since Sunday, Nook owners have been unable to download books to their devices. The bookstore giant acknowledged the issue in a tweet, telling customers that it was investigating the cause and that service restoration was taking longer than expected.

“We are continuing to experience a systems failure that is interrupting NOOK content. We are working urgently to get all NOOK services back to full operation. Unfortunately it has taken longer than anticipated, and we sincerely apologize for this inconvenience and frustration,” the company said.

Barnes & Noble assured customers that there was “no compromise of customer payment details” and said it will let users know when service has been restored.

“We expect NOOK to be fully operational shortly and will post an update once systems are restored,” the company wrote in an October 14 tweet. 

Barnes & Noble has disclosed that it was recently the victim of a cybersecurity attack, leading to "unauthorized and unlawful access to certain Barnes & No...
Read lessRead more

Facebook admits malware defrauded users out of $4 million

The company reimbursed users who lost money to the scheme

A band of Chinese digital wrongdoers have apparently ripped off Facebook users to the tune of $4 million. At Virus Bulletin’s virtual VB2020 conference, Facebook’s malware researchers and security analysts revealed that malware was found abusing Facebook's ad platform to run malicious ad campaigns that spammed users with phony celebrity endorsements and enticed them to make fraudulent purchases. 

Facebook’s security team coined the malware ‘SilentFade’ – ‘Silently running Facebook ADs with Exploits’ -- based on how the attacks were carried out. The malware’s M.O. was to infect users with the malware, then commandeer the users' browsers and make off with browser cookies and passwords.

Once they had that, the bandits searched for user accounts that had payment methods associated with their profile. At that point, SilentFade was off to the races, buying Facebook ads for things like keto pills and weight loss products with the victim's funds. 

All told, Facebook said the group was able to fleece more than $4 million from infected users. To make things whole, Facebook reimbursed the $4 million back to the victims for unauthorized ads purchased using their ads accounts.

Not exclusive to Facebook

Satnam Narang -- a staff research engineer at Tenable who has uncovered similar scams on other social media platforms like TikTok, Instagram, and Twitter -- noted that it’s a well-conceived, “cunning” scam designed to take advantage of Facebook’s billions of users while also providing the bad actors with a layer of protection against getting caught.

"Facebook’s research into SilentFade highlights how users seeking out pirated software are further exposed to additional risk in the form of malicious software that can silently take control of their Facebook accounts,” Narang told ConsumerAffairs. 

“Even if users aren’t directly affected by the SilentFade malware, its effect extends to Facebook users that encounter dubious advertisements for products that are counterfeit or misleading, such as phony diet pills. Users should not download pirated software and should be extremely skeptical of advertisements for discounted products at or phony diet pills."

What took so long?

The interesting twist is that it’s taken two years for Facebook to tell the world about this issue. The SilentFade mob was active between late 2018 and February 2019, when Facebook's security team first caught wind of their presence. Luckily, they were able to stop the gang’s attacks. 

It’s possible that Facebook was embarrassed by the attack’s stealth-like precision. 

“This was the first time we observed malware actively changing notification settings, blocking pages, and exploiting a bug in the blocking subsystem to maintain persistence in a compromised account,” the company’s researchers said, claiming that the scam actually became a “silver lining” that helped it detect compromised accounts going forward. 

A band of Chinese digital wrongdoers have apparently ripped off Facebook users to the tune of $4 million. At Virus Bulletin’s virtual VB2020 conference, Fa...
Read lessRead more

Ransomware victims could be fined by the government for making payments to hackers

New Treasury Department guidelines could lead to multimillion penalties for those who pay off cyber criminals

In an advisory published Thursday, the Treasury Department warned that individuals or companies that facilitate payments to ransomware extortionists could be fined by the U.S. government. 

Under its new guidelines, the Treasury Department said facilitating these payments could be in violation of anti-money laundering and sanctions regulations in cases where a group or hackers is either sanctioned by the U.S. Treasury or has ties to a cybercrime group that is sanctioned. 

Huge fines of up to $20 million could be incurred by firms or people that facilitate these payments. 

“Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” said the Treasury’s Office of Foreign Assets Control (OFAC).

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

The penalty could be handed down even if the company or individual was unaware that it was engaging or transacting with a sanctioned entity. Before deciding to make any sort of payment, ransomware victims are urged to contact the OFAC.

"OFAC encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus," the agency said. 

In an advisory published Thursday, the Treasury Department warned that individuals or companies that facilitate payments to ransomware extortionists could...
Read lessRead more

Anthem agrees to data breach settlement with 43 states

The company will pay $39.5 million to resolve charges stemming from the 2014 attack

Health benefits provider Anthem has reached a settlement with 43 states, resolving the last of a series of lawsuits over a 2014 cyberattack. The company will pay the states $39.5 million.

The company previously agreed to a more than $16 million settlement with the U.S. Justice Department to resolve privacy issues resulting from the hack that exposed personal information on nearly 79 million people.

“Protecting the privacy of its customers should be Anthem’s top priority, otherwise people are left vulnerable and exposed,” said Ohio Attorney General Dave Yost. “The fear of having your identity stolen is alarming and it will take time to rebuild that public trust.”

Through the combined action, Yost said Ohio will receive $1.88 million from the settlement. Other states will receive similar amounts. In addition to the payments, Anthem has also agreed to a series of data security and good governance provisions designed to strengthen its practices going forward.

“Data breaches have far-reaching and long-lasting effects on people’s lives,” said Florida Attorney General Ashley Moody. “When companies fail to protect customers’ personal information, they owe it to the public to disclose that information quickly and to take steps to protect them from further damage.”

Timing of disclosure

The timing of the disclosure was one of the central issues in the states’ case. In February 2015, Anthem disclosed to the public that hackers had gained entry to its systems beginning in February 2014 by using malware installed through a phishing email. 

Once inside, the attackers gained access to Anthem’s data warehouse, where they stole names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans. 

“Protecting consumer data is incredibly important, and when companies or corporations who store large amounts of consumer data fail to safeguard that data, they must be held accountable,” said Attorney General Eric Schmitt.

Improving security

In addition to the financial settlement, Anthem has agreed to strengthen its network security protocols to avoid similar incidents in the future.

Among the steps, Anthem said it will implement a comprehensive information security program that incorporates principles of zero-trust architecture and includes regular security reports made to the Board of Directors and prompt notice of significant security events to the CEO.

It has also agreed to an assessment and audit of its security practices by a third-party for three years.

Health benefits provider Anthem has reached a settlement with 43 states, resolving the last of a series of lawsuits over a 2014 cyberattack. The company wi...
Read lessRead more

Universal Health Services targeted by likely ransomware attack

Some hospitals were forced to file patient information with pen and paper due to the issue

Universal Health Services (UHS), one of the nation’s largest health care providers, disclosed Monday that its systems were affected by a highly coordinated ransomware attack. Employees at a major U.S. hospital chain said over the weekend that they couldn’t access their computers. 

UHS, which operates about 400 health care facilities across the U.S. and U.K., said an “IT security issue” was responsible for the issue.

“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible,” UHS said in a statement. “In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.” 

The company added that “no patient or employee data appears to have been accessed, copied or misused.” 

Forced to file information manually

A source familiar with the matter told NBC News that the attack “looks and smells like ransomware.” Hackers often wait to deploy ransomware over the weekend to take advantage of reduced staff members, NBC News noted.

The attack forced some UHS hospitals to file patient information manually, using pen and paper. In other instances, ambulances were redirected to other nearby hospitals. 

This isn’t the first time a hospital chain has been the target of a cyberattack. Earlier this month, Duesseldorf University Hospital in Germany was hit by a ransomware attack that resulted in a patient in critical condition having to be transferred to another hospital. The patient ended up dying while en route to the other facility. 

Universal Health Services (UHS), one of the nation’s largest health care providers, disclosed Monday that its systems were affected by a highly coordinated...
Read lessRead more

U.S. government places restrictions on China’s largest chipmaker

Officials say the company’s equipment could be used for military purposes

The United States has added China’s largest chipmaker, Semiconductor Manufacturing International Corporation (SMIC), to its blocked entity list. 

U.S. officials concluded that there is an “unacceptable risk” that equipment supplied by SMIC could be used for military purposes, Reuters reported. 

In the interest of protecting national security, the Commerce Department has decided to make it necessary for American companies to apply for individual export licenses in order to do business with the Chinese firm. 

Tightening trade restrictions

A spokesperson for SMIC said the company hadn't heard anything about the restrictions in the form of an official notice. It maintained that it’s not linked to the Chinese military in any way. 

“SMIC reiterates that it manufactures semiconductors and provides services solely for civilian and commercial end-users and end-uses,” the chip maker said. “The Company has no relationship with the Chinese military and does not manufacture for any military end-users or end-uses.”

The U.S. previously blacklisted Chinese telecom giant Huawei in an effort to prevent China from accessing critical chipmaking technology. The nation’s addition of SMIC to the blocked entity list will keep the semiconductor producer from getting key equipment and design tools from the U.S. 

The Commerce Department’s Bureau of Industry and Security didn’t comment specifically on the decision regarding SMIC. However, it said more broadly that it was “constantly monitoring and assessing any potential threats to U.S. national security and foreign policy interests.” 

The United States has added China’s largest chipmaker, Semiconductor Manufacturing International Corporation (SMIC), to its blocked entity list. U.S. o...
Read lessRead more

CISA issues emergency warning over Windows security flaw

Government agencies have been told to install a patch immediately

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has warned of a critical security vulnerability affecting Windows Servers used by federal officials.

CISA said a recently discovered flaw in Windows Netlogon Remote Protocol could allow an attacker with network access to “completely compromise all Active Directory identity services.” 

In its advisory, CISA urged government agencies to install a patch as soon as possible. Failure to patch the vulnerability, known as CVE-2020-1472, could have a “grave impact,” the agency said.

“We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary,” CISA said. “Left unpatched, this vulnerability could allow attackers to compromise network identity services.” 

Requires immediate attention

The flaw affects systems running Windows Server 2008 R2 and later, including recent ones using versions of Windows Server based on Windows 10. Government agencies have until September 21 to install the patch.

“We have directed agencies to implement the patch across their infrastructure by Monday, September 21, and given instructions for which of their many systems to prioritize,” CISA said.

Microsoft said it’s dealing with the vulnerability through a phased two-part rollout. The first phase will involve the installation of a security patch released last month, which will provide the first layer of protection. Another patch to further boost security will be released February 9, 2021.

“These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels,” the company said in a statement

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has warned of a critical security vulnerability affecting Win...
Read lessRead more

Personal information for 46,000 veterans exposed in data breach

The Department of Veterans Affairs says hackers were able to infiltrate its systems

The Department of Veterans Affairs (VA) said Monday that around 46,000 veterans had their personal information exposed in a data breach

The VA said that hackers gained unauthorized access to their systems with the aim of stealing payments that were meant to go to health care providers who provided treatment to veterans. Some veterans may have had their social security number leaked.

"The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the­ medical treatment of Veterans,” the Department said in an announcement. “The FSC took the application offline and reported the breach to VA’s Privacy Office.” 

Investigation in progress 

The VA added that hackers were able to breach the system by “using social engineering techniques and exploiting authentication protocols.” The agency said it’s launching a security review. 

"To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology," it added.

The Department said it’s notifying veterans whose information was exposed in the breach. In cases where the affected veteran is deceased, the Department will notify the next-of-kin. 

“The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised," the VA said. "Veterans whose information was involved are advised to follow the instructions in the letter to protect their data. There is no action needed from Veterans if they did not receive an alert by mail, as their personal information was not involved in the incident.” 

The Department of Veterans Affairs (VA) said Monday that around 46,000 veterans had their personal information exposed in a data breachThe VA said that...
Read lessRead more

Gaming hardware vendor Razer suffers data leak affecting up to 100,000 customers

Security researchers warn that scammers could launch phishing attempts using leaked information

Gaming hardware manufacturing company Razer accidentally leaked the data of as many as 100,000 customers, according to security researcher Bob Diachenko. 

Diachenko said in a report that the company misconfigured one of its Elasticsearch servers, leaving information available to the public and indexed by public search engines since August 18. The information leaked included customers’ full names, emails, phone numbers, and shipping addresses. 

It took Razer several weeks to respond to Diachenko, but the company finally responded and said it fixed the misconfiguration on September 9. The company claims that passwords and credit card information weren't involved in the leak.

"We would like to thank you, sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems," the company told Diachenko. "We remain committed to ensure the digital safety and security of all our customers."

Watch for suspicious emails

Improperly accessed information could be used by scammers to carry out phishing attempts, so Diachenko urges gamers to “be on the lookout for phishing attempts sent to their phone or email address.” 

“Malicious emails or messages might encourage victims to click on links to fake login pages or download malware onto their device,” he noted. “Razer customers could be at risk of fraud and targeted phishing attacks perpetrated by criminals who might have accessed the data.” 

Razer said customers with any questions about the leak can send a message to DPO@razer.com.

Gaming hardware manufacturing company Razer accidentally leaked the data of as many as 100,000 customers, according to security researcher Bob Diachenko....
Read lessRead more

Twitter reactivates option to download personal data

It’s a fairly simple three-step process

Smarting from the doozy of a Bitcoin scam that compromised the Twitter accounts of the rich and famous, the social media company closed down the ability to download archives of “Your Twitter Data.” Now that the dust has settled and the apparent chief perpetrator has been arrested, it’s bringing that feature back.

Twitter apologized profusely for the incident, which plundered the accounts of everyone from Warren Buffett to Kanye West. Collectively, victims of the scheme posted similar tweets asking for donations via Bitcoin, but hackers also got a hold of some of those celebrities’ “Your Twitter Data” archives -- an intrusion that not only had the potential to steal private messages, but also personal data. 

How to turn personal data back on

Twitter’s process for retrieving personal data is fairly simple. To access it, just go to Settings > Account > Your Twitter data. Then, type in your password and click to start the transfer. One note of warning for Twitter app users: you might be transferred over to Twitter’s mobile website, but the platform says there’s nothing to worry about if that happens.

Smarting from the doozy of a Bitcoin scam that compromised the Twitter accounts of the rich and famous, the social media company closed down the ability to...
Read lessRead more

Cisco warns of zero-day security flaw that was exploited by hackers

The company says a patch is on the way

Cisco has warned of a high-severity zero-day security vulnerability affecting its networking devices. 

In an advisory published Saturday, the company said the new security flaw affects its Internetwork Operating System (IOS), which ships with its networking gear. Cisco said the flaw was being actively exploited as recently as last week and that it’s still in the process of developing a patch. 

The networking device manufacturer said the flaw, dubbed the CVE-2020-3566 exploitation, could enable an unauthorized party to remotely execute an attack that exhausts process memory and creates instability in other processes running on the device.

"The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets,” Cisco explained. “An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device.” 

Exploitation attempts discovered

Cisco said it discovered exploitation attempts last week but didn’t provide details on what, if anything, the exploit attempts accomplished. The company only said what the flaw could allow an attacker to do. 

“A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes,” the company said. “These processes may include, but are not limited to, interior and exterior routing protocols."

Although Cisco didn’t provide an estimate of when a patch will be released, it did promise that one is on the way. 

While a patch is in the works, the company is urging users to rely on mitigation techniques, such as implementing either a rate limiter or an access control entry to an existing interface access control list. Details of these defensive strategies can be found in the company’s security advisory

Cisco has warned of a high-severity zero-day security vulnerability affecting its networking devices. In an advisory published Saturday, the company sa...
Read lessRead more

FBI, CISA warn of increase in ‘vishing’ attacks

Cybercriminals are taking advantage of businesses that have shifted to a work-from-home model

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have warned that the COVID-19 pandemic has led to an increase in voice phishing (or “vishing”) campaigns. 

In a joint cybersecurity advisory, the agencies noted that the pandemic has resulted in a “mass shift to working from home.” This has spurred an uptick in the use of corporate virtual private networks (VPNs) for malicious purposes. In July, cybercriminals launched a vishing campaign with the intent of monetizing the access to improperly accessed employee tools.  

“The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme,” authorities said in the advisory.

“Prior to the pandemic, similar campaigns exclusively targeted telecommunications providers and internet service providers with these attacks, but the focus has recently broadened to more indiscriminate targeting,” the alert continued. 

Highly effective attack 

The advisory was published less than 24 hours after security researcher Brian Krebs of KrebsOnSecurity published research about a group of cybercriminals that has been marketing a vishing campaign that relies on custom phishing sites and social engineering techniques to steal VPN credentials from employees. 

Citing interviews with several sources, Krebs said the bad actors have experienced “a remarkably high success rate.” 

The attackers operate “primarily through paid requests or ‘bounties,’ where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home,” the report said. 

Krebs explained that a typical attempt begins with a series of phone calls to employees working remotely at a targeted organization. 

“The phishers will explain that they’re calling from the employer’s IT department to help troubleshoot issues with the company’s virtual private networking (VPN) technology,” according to Krebs. “The goal is to convince the target either to divulge their credentials over the phone or to input them manually at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.”

Preventing vishing attempts

FBI and CISA officials offered several tips on how people can protect themselves against vishing attempts. 

Companies and organizations are advised to restrict VPN connections to managed devices only, to employ domain monitoring, and to “consider using a formalized authentication process for employee-to-employee communications made over the public telephone network.” 

Others are advised to be suspicious of unsolicited phone calls or email messages from unknown individuals claiming to be from a legitimate organization. End users should also limit the amount of personal information they post on social networking platforms. 

“If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement,” the advisory said. 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have warned that the COVID-19 pandemic has led to an...
Read lessRead more

Nearly 235 million accounts on Instagram, TikTok, and YouTube exposed in data breach

Users' names, ages, and account details were left in an unprotected server

If you’re a YouTube, TikTok, or Instagram user, hold on to your personal data, folks, because a gargantuan leak of social media profiles has shown up at the doorstep of these platforms.

According to an incident brought to light by researchers at Comparitech, Hong Kong-based Social Data exposed a database of close to 235 million social media profiles by not setting a password restriction or any other authentication required to access it. The exposed data includes these items from personal profiles:

  • Profile and real full name, age, and gender

  • Profile photo

  • Whether the profile belongs to a business or has advertisements

  • Statistics about follower engagement, including: number of followers, engagement rate, follower growth rate, audience gender/age/location, and likes

  • Last post timestamp

Based on samples Comparitech collected, it says that about 20 percent of the records also contained either a phone number or email address.

Scraping all it can find

Social Data’s model is anything but consumer-friendly, but at least it’s honest about what it does. In its Terms of Service, it admits that it “scrapes” the data of influencers who “have a presence on the Internet having in excess of a certain amount of followers (decided by the marketer) on various social media platforms.” In other words, let’s say you have 1,523 followers on Instagram and a marketer is looking for people who have at least 1,000, you would be a prime candidate to be scraped.

Web scraping is an old-hat way of automating the copying of data from web pages in bulk. The cost of doing it is relatively inexpensive, and that appeals to marketing firms that can’t afford more aboveboard methods. Social Data swears that it only scrapes what is publicly accessible, but the practice violates Facebook, Instagram, TikTok, and Youtube terms of use. 

Deep Social was banned from Facebook and Instagram in 2018, but apparently it found a way to worm its way back in. Comparitech says that the wormhole likely came about because automated scraping bots can be difficult to distinguish from normal website visitors. Because of that, social media platforms have a hard time preventing them from accessing user profiles until it’s too late.

Social Data defends itself

A Social Data spokesperson told Comparitech security researcher Bob Diachenko in an email that the data was not “hacked” because it was collected in a legal way. 

“Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access,” the spokesperson said.

“I would appreciate it if you could ensure that this is made clear,” the spokesperson continued in their email to Diachenko. “Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database. […] Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private. [sic]”

If you’re a YouTube, TikTok, or Instagram user, hold on to your personal data, folks, because a gargantuan leak of social media profiles has shown up at th...
Read lessRead more

Instagram says bug kept users’ deleted photos and messages on its servers

The company said it has fixed the issue and rewarded the security researcher who found it

When you take down a post or photo from a social media site, you might expect it to be gone for good. But one cybersecurity expert found this wasn’t the case for some content posted on Instagram. 

TechCrunch reports that security researcher Saugat Pokharel recently dug into his own data on the social media platform and found that messages and pictures he had deleted over a year before were still present on Instagram’s servers. After notifying the platform, he received $6,000 under Instagram’s bug bounty program for bringing the issue to light. 

“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us,” an Instagram spokesperson told TechCrunch.

Accessing your information

What Pokharel did to find this cybersecurity issue isn’t something that’s beyond any other Instagram user. The Download Your Information tool was introduced back in 2018 to allow the platform to comply with data information policies established under the European Union’s GDPR rule. 

Instagram states that it usually takes around 90 days for deleted content to be removed from its servers, but users can check out the tool for themselves to see exactly what personal information is being stored on the site. 

Consumers can find directions on how to access the tool on Instagram’s help page here.

When you take down a post or photo from a social media site, you might expect it to be gone for good. But one cybersecurity expert found this wasn’t the ca...
Read lessRead more

Researchers discover ‘One Click’ security flaw in Amazon’s Alexa

Attackers could access voice history records and more to extract personal information

Researchers have discovered vulnerabilities in Amazon’s digital assistant, Alexa. 

In a report published Thursday, researchers from Check Point said they found that attackers could exploit a flaw in Amazon’s Alexa that could enable them to extract personal information. 

“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” wrote Oded Vanunu, head of products vulnerabilities research at Check Point. “Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”

Requires just one click of a malicious link

The team said they found several web application flaws on Alexa-related subdomains, including Cross-Origin Resource Sharing (CORS) and Cross-Site Scripting (XSS). 

The presence of these vulnerabilities could enable attackers to access personal information like home addresses or banking data, remotely install or remove skills on a user’s Alexa account, or extract the victim’s voice history. 

“Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker,” said Dikla Barda, of Checkpoint Research, who helped discover the vulnerabilities.

The team noted that Amazon doesn’t record users’ banking login credentials, but that information could be extracted via recorded interactions with the smart assistant. 

“Since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history,” said researchers. “We can also get usernames and phone numbers, depending on the skills installed on the user’s Alexa account.”

Prime targets to attackers

Given how many consumers use virtual assistants, Check Point said these devices are “attractive targets to attackers looking to steal private and sensitive information, or to disrupt an individual’s smart home environment.” 

“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” Vanunu said. “But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”

These devices “must be kept secured at all times to keep hackers from infiltrating our smart homes,” the researchers added. 

Researchers have discovered vulnerabilities in Amazon’s digital assistant, Alexa. In a report published Thursday, researchers from Check Point said the...
Read lessRead more

Calls made on 4G LTE mobile networks could be susceptible to hackers, experts say

A study has exposed a security issue in the widely used mobile network

While one recent study has highlighted the ways hackers can hack into consumers’ cell phones, a new study is looking at yet another way consumers’ privacy could be manipulated through the network they use.

According to researchers from Ruhr-University Bochum, cell phone calls made on 4G LTE mobile networks could be susceptible to hackers. Though these networks should be immune to such attacks, the researchers learned that an issue in their security systems could leave many consumers vulnerable to these types of threats.  

“Voice over LTE has been in use for six years,” said researcher David Rupprecht. “We’re unable to verify whether attackers have exploited the security gap in the past.” 

Not-so-private phone calls

The majority of consumers utilize LTE networks on their mobile phones to do everything from searching the internet to making texts and calls. One of the benefits of this kind of network is that it is designed to keep consumers’ data private. However, the researchers learned that this isn’t always the case. 

When consumers make private calls on their phones, the contents of such conversations are kept safe with a unique encryption code. When all calls have their own codes, consumers’ information can stay private. However, this study revealed that it’s rather easy for hackers to get repeated codes and ultimately steal information from consumers. 

“The attacker has to engage the victim in a conversation,” said Rupprecht. “The longer the attacker talked to the victim, the more content of the previous conversation he or she was able to decrypt.” 

The process needs to occur rather quickly, and the hacker needs to be in the same mobile network as the person they’re trying to copy information from for it to work. But if the conditions are right, the researchers explained that all a hacker has to do is call their target not long after they’ve ended a separate call to gain access to an encryption code to steal information. 

The researchers analyzed random calls made on an LTE network across Germany. They found that 80 percent of the calls they examined were affected by this kind of security breach.

While this is certainly cause for concern, the researchers noted that several mobile networks have already resolved this issue. However, it’s still very important for consumers to be aware of these potential vulnerabilities and to stay vigilant since it’s impossible to determine if the issue has been completely eradicated. 

While one recent study has highlighted the ways hackers can hack into consumers’ cell phones, a new study is looking at yet another way consumers’ privacy...
Read lessRead more

TikTok accused of tracking device data from Google Android users

An investigation claims the company tracked user data for 18 months before discontinuing the practice

Video-sharing platform TikTok has faced a great deal of scrutiny from U.S. regulators over its data collection practices and its connection to the Chinese government. While it has defended itself and even offered to share its algorithms with the cybersecurity community, a recent investigation by the Wall Street Journal suggests that it had been tracking Google Android users for months without their knowledge or consent.

The publication reports that TikTok circumvented Google privacy safeguards to collect MAC addresses from Android users for 18 months before stopping the practice last November, when scrutiny from the U.S. government was ramping up. MAC addresses can act as identifiers that are unique to individual devices and could be used to serve users targeted ads. 

The new finding contrasts starkly with the company’s reaction to an executive order issued last week that seeks to ban the app from the U.S. over data privacy concerns. 

“We want the 100 million Americans who love our platform because it is your home for expression, entertainment, and connection to know: TikTok has never, and will never, waver in our commitment to you. We prioritize your safety, security, and the trust of our community -- always,” the company said in a blog post.

Feds clash with TikTok

The Trump administration previously cited concerns that TikTok and other Chinese apps like WeChat are able to gather data and share that information with the Chinese government. 

“TikTok automatically gathers vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search history,” the administration’s executive order stated. “This data threatens to allow the Chinese Communist Party (CCP) access to Americans’ personal and proprietary information -- potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information and blackmail, and conduct corporate espionage.”

While the Journal’s investigation shows no evidence of this kind of agenda, the findings do place a dark cloud over the company’s stance on user privacy and security. In response to the report, a TikTok spokesperson reaffirmed that the company prioritizes user security.

“Under the leadership of our Chief Information Security Officer (CISO) Roland Cloutier, who has decades of experience in law enforcement and the financial services industry, we are committed to protecting the privacy and safety of the TikTok community. We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never given any TikTok user data to the Chinese government nor would we do so if asked,” the spokesperson said.

Regulators respond

In a statement to the Journal, Sen. Josh Hawley (R-Mo.) called on Google to take action to prevent TikTok and other apps from skirting its security to collect consumers’ data.

“Google needs to mind its store, and TikTok shouldn’t be on it. If Google is telling users they won’t be tracked without their consent and knowingly allows apps like TikTok to break its rules by collecting persistent identifiers, potentially in violation of our children’s privacy laws, they’ve got some explaining to do,” he said. 

Video-sharing platform TikTok has faced a great deal of scrutiny from U.S. regulators over its data collection practices and its connection to the Chinese...
Read lessRead more

Talkspace accused of mining private client data

Former employees claim the mobile therapy startup routinely used patient data for marketing purposes

Talkspace, a mobile app that enables users to message a certified therapist, has been accused of regularly mining data from the transcripts of clients' private therapy sessions.

Former Talkspace employees interviewed by the New York Times claimed the mobile therapy startup used data that was supposed to be kept private for marketing purposes. 

The former employees claim Talkspace had data scientists pull commonly used phrases from anonymized patient transcripts. These key phrases were then allegedly shared with the company’s marketing team, which used the information to target new customers. 

The report also alleges that Talkspace gave employees phones to post fake positive reviews to the App Store and Play Store.

Talkspace denies allegations

In a Medium post published over the weekend, Talkspace co-founders Roni and Oren Frank denied that the startup mined data for marketing purposes.

They said the Times article “misconstrues our work and makes false and uninformed assertions about patient privacy and certain marketing practices.” The founders said the former employee featured in the story “shared information that is from 2016 and is not accurate.” 

"Talkspace is a HIPAA/HITECH and SOC2 approved platform, audited annually by external vendors and has deployed additional technologies to keep its data safe, exceeding all existing regulatory requirements," they wrote.

Talkspace, a mobile app that enables users to message a certified therapist, has been accused of regularly mining data from the transcripts of clients' pri...
Read lessRead more

Capital One to pay $80 million over data breach

The company will be required to create new internal checks to stop it from happening again

Back in 2019, Capital One released details of a massive data breach that compromised the personal information of over 100 million consumers in the U.S. and Canada. Now, it’s being forced to pay the piper for its mistakes. 

The Office of the Comptroller of the Currency (OCC) announced this week that Capital One will pay an $80 million civil penalty due to the breach. The Federal Reserve Board is also requiring the company to upgrade its internal risk management systems, as well as its cybersecurity and information security practices, to prevent a similar breach from happening in the future. 

“The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner,” the OCC stated. 

Exposed information

At the time, the scope of the Capital One breach was compared to the infamous Equifax breach of 2017, which compromised the personal data of nearly 150 million Americans. 

The exposed information included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. The hacker responsible for the breach also accessed 140,000 Social Security numbers and 80,000 linked bank account numbers linked to secured credit card customers. Nearly 1 million Canadian Social Insurance numbers were also compromised. 

Back in 2019, Capital One released details of a massive data breach that compromised the personal information of over 100 million consumers in the U.S. and...
Read lessRead more

Trump signs executive order seeking to ban TikTok, WeChat in 45 days

The Trump administration believes China-based apps pose a national security threat

President Trump has signed an executive order banning TikTok and WeChat from operating in the United States in 45 days if they are not sold by the Chinese companies that own them.

Video-sharing platform TikTok has been at the center of federal scrutiny lately, and President Trump recently signaled his intention to ban the app due to national security concerns. 

On Thursday night, Trump said TikTok -- which is owned by China-based ByteDance -- will be banned in 45 days if it isn’t sold to another company.  It “remains unclear” if Trump has the legal authority to ban the apps from the U.S., the Associated Press noted.

Concerns over data sharing 

The Trump administration has expressed concern that TikTok and other Chinese apps could gather data from users and share it with the Chinese government.  

“TikTok automatically gathers vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search history,” the executive order alleged.

“This data threatens to allow the Chinese Communist Party (CCP) access to Americans’ personal and propietrary information – potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information and blackmail, and conduct corporate espionage.”

Microsoft said over the weekend that it was moving forward with talks to acquire TikTok. On Monday, President Trump said September 15 would be the deadline for TikTok to find a U.S. buyer. 

Taking action against Chinese apps

Trump issued a similar order for China-based WeChat, a platform that allows users to transfer funds to each other. 

"The United States must take aggressive action against the owner of WeChat to protect our national security,” the executive order said Thursday night.

Secretary of State Mike Pompeo said Wednesday that the Trump administration believes TikTok could feed data to the Chinese Communist Party. 

"Here's what I hope that the American people will come to recognize -- these Chinese software companies doing business in the United States, whether it's TikTok or WeChat, there are countless more ... are feeding data directly to the Chinese Communist Party, their national security apparatus -- could be their facial recognition pattern, it could be information about their residence, their phone numbers, their friends, who they're connected to," Pompeo said. 

He said President Trump was “going to fix it” through actions that would be unveiled in the coming days “with respect to a broad array of national security risks that are presented by software connected to the Chinese Communist Party.”

President Trump has signed an executive order banning TikTok and WeChat from operating in the United States in 45 days if they are not sold by the Chinese...
Read lessRead more

FBI warns businesses to stop using Windows 7

A lack of updates makes the operating system vulnerable to hackers

Companies that still rely on Windows 7 to conduct their business may want to quickly reconsider that decision. 

Earlier this week, the Federal Bureau of Investigation (FBI) sent out a warning saying that a lack of support for the operating system has made it vulnerable to hackers. The agency says businesses that continue you to use it are opening themselves up to hacking attempts by malicious third-parties. 

"The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status. Continuing to use Windows 7 within an enterprise may provide cyber criminals access into computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered,” the FBI said in a private industry notification. 

Increased risk of being hacked

Microsoft announced earlier this year that it was ending support for Windows 7. The company said that the decision would mean that it would “no longer provide technical support, software updates, or security updates or fixes.”

That represents a huge risk to businesses who still rely on the operating system. Doing so greatly increases the risk of hackers being able to compromise internal systems and gain access to potentially sensitive information. 

"With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target," the FBI stated. 

The agency is advising companies to switch to an operating system that has active support to avoid additional hacking risks. Although making that switch may be inconvenient, agency officials say the risks of the alternative are too high. 

“Migrating to a new operating system can pose its own unique challenges, such as cost for new hardware and software and updating existing custom software. However, these challenges do not outweigh the loss of intellectual property and threats to an organization,” the agency stated. 

Companies that still rely on Windows 7 to conduct their business may want to quickly reconsider that decision. Earlier this week, the Federal Bureau of...
Read lessRead more

Twitter acknowledges security vulnerability affecting Android users

A flaw may have exposed private data of users running Android OS versions 8 and 9

Twitter has disclosed details of a new security vulnerability that may have exposed the direct messages of its Android device users. The company said Wednesday that the vulnerability could have exposed the data of Twitter users running devices with Android OS versions 8 and 9.

“This vulnerability could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like Direct Messages) by working around Android system permissions that protect against this,” Twitter said in a blog post

The issue, which is now fixed, was related to an issue that only a small fraction of Twitter users experienced. Twitter said it was linked to an Android OS security issue that only affects systems 8 and 9. Around 96 percent of people using Twitter for Android already have a security patch for this vulnerability, Twitter said. 

The issue didn’t impact users running Twitter for iOS or Twitter.com.

Notices sent to affected users

The social media platform said it doesn’t currently have any evidence that the vulnerability was exploited, but it “can’t be completely sure” that it wasn’t. In an effort to protect the small group of potentially vulnerable users, the company rolled out an update to its Android app to ensure external apps can’t access in-app data. 

Twitter also sent in-app alerts to those affected and required them to update their app to the latest version. Going forward, Twitter has promised to identify “changes to our processes to better guard against issues like this.”

“To keep your Twitter data safe, please update to the latest version of Twitter for Android on all Android devices that you use to access Twitter,” the company said. “Your privacy and trust is important to us and we will continue working to keep your data secure on Twitter.”

Twitter has disclosed details of a new security vulnerability that may have exposed the direct messages of its Android device users. The company said Wedne...
Read lessRead more

Twitter could face $250 million fine over improper use of user data

Regulators accused Twitter of using user data to target advertising between 2013 and 2019

Twitter warned investors on Monday that it could be slapped with an FTC fine of up to $250 million for using personal information provided by users for security purposes to instead target advertising. 

In its second-quarter 10-Q financial filing with the Securities and Exchange Commission (SEC), Twitter said it received a draft complaint from the FTC on July 28. The FTC alleged that the company’s actions violated a 2011 agreement requiring it to establish a more robust security program and stop misleading consumers about how it protects their personal information.

“The allegations relate to the Company’s use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019,” Twitter wrote. “The Company estimates that the range of probable loss in this matter is $150.0 million to $250.0 million and has recorded an accrual of $150.0 million.”

Twitter came clean about its use of user data for ad targeting back in October. At the time, the company said it “unintentionally" used some email addresses and phone numbers for advertising. The information was provided by users for account security purposes, such as setting up two-factor authentication. 

Twitter said in the financial filing that the matter “remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.” 

Impact of recent security breach 

The financial filing also gave an update on the potential impact of the site’s recent hacking. Last month, a 17-year-old hacker was allegedly able to gain access to a number of high-profile accounts to promote a cryptocurrency scam. Twitter said in the filing that the breach could hurt its reputation, affect its relationship with advertisers, and hinder its growth.

“This security breach may have harmed the people and accounts affected by it,” the company said in the filing. “It may also impact the market perception of the effectiveness of our security measures, and people may lose trust and confidence in us, decrease the use of our products and services or stop using our products and services in their entirety.”

Twitter warned investors on Monday that it could be slapped with an FTC fine of up to $250 million for using personal information provided by users for sec...
Read lessRead more

Trump set to ‘take action’ against TikTok and other Chinese apps

The Trump administration is concerned that TikTok's Chinese ownership poses a risk to national security

President Trump is poised to “take action” against Chinese apps, including TikTok, in the coming days, Secretary of State Mike Pompeo said Sunday. The Trump administration is concerned that the apps threaten national security. 

During an interview on Fox News' "Sunday Morning Futures," Pompeo said the administration believes TikTok, a social media video app owned by China-based Bytedance, could potentially feed data to the Chinese Communist Party. 

"Here's what I hope that the American people will come to recognize -- these Chinese software companies doing business in the United States, whether it's TikTok or WeChat, there are countless more ... are feeding data directly to the Chinese Communist Party, their national security apparatus -- could be their facial recognition pattern, it could be information about their residence, their phone numbers, their friends, who they're connected to," Pompeo said. 

"President Trump has said enough and we're going to fix it and so he will take action in the coming days with respect to a broad array of national security risks that are presented by software connected to the Chinese Communist Party,” he added. 

Pompeo said Trump “will make sure that everything we have done drives us as close to zero risk for the American people...That's the mission set that he laid out for all of us when we began to evaluate this now several months back. We're closing in on a solution and I think you'll see the President's announcement shortly.”

TikTok responds

TikTok has maintained that it would never give the Chinese government access to U.S. user data. In response to Trump’s threat on Friday to ban the platform in the United States, TikTok U.S. General Manager Vanessa Pappas posted a video saying the social media app is “not planning on going anywhere.”

“These are the facts: 100 million Americans come to TikTok for entertainment and connection, especially during the pandemic,” a company spokesperson said in a statement. “We've hired nearly 1,000 people to our US team this year alone, and are proud to be hiring another 10,000 employees into great paying jobs across the US.” 

“We are committed to protecting our users' privacy and safety as we continue working to bring joy to families and meaningful careers to those who create on our platform.” 

Cracking down on Chinese companies

President Trump’s planned action against TikTok and other Chinese apps would join other efforts to tighten U.S. security amid concerns over Chinese data sharing. Previously, the administration ordered the U.S. to stop buying equipment from Chinese telecom providers Huawei and ZTE. 

In July, the FCC formally designated the companies as national security threats, citing a “weight of evidence” that the companies could “cooperate with the country’s intelligence services” to harm U.S. communications. 

“With today’s Orders, and based on the overwhelming weight of evidence, the (FCC’s Public Safety and Homeland Security) Bureau has designated Huawei and ZTE as national security risks to America’s communications networks—and to our 5G future,” FCC Chairman Ajit Pai said in a statement at the time. 

President Trump is poised to “take action” against Chinese apps, including TikTok, in the coming days, Secretary of State Mike Pompeo said Sunday. The Trum...
Read lessRead more

Consumers are increasingly wary of how corporations handle their data

A survey suggests that most people want more control over how businesses use their personal information

As big tech companies get bigger -- and even smaller players dig deeper into consumers’ personal histories -- a survey suggests that the public is becoming increasingly wary.

A new survey from KPMG shows rising concern among consumers about how corporations use, manage, and protect their personal data. The survey found 56 percent of Americans want more control over their personal data and believe that both corporations and the government must work harder to protect consumer data.

Privacy appears to be a hot button topic with consumers, particularly when it comes to technology. Ninety-seven percent of consumers in the survey checked the box when asked if it’s an important issue.

At the same time, the survey suggests that consumers are deeply suspicious of what companies are doing with their data. Well over half --  68 percent -- don't trust companies to ethically sell their personal data.

"With consumers indicating that they see data privacy as a human right, and new legislation expected in the years ahead, it is critical that companies begin to mature privacy programs and policies," said Orson Lucas, principal, KPMG Cyber Security Services. "Consumer demands for the ethical use of data and increased control over their own data must be a core consideration in developing data privacy policies and practices.

Facebook and privacy

Facebook may offer a case in point in how consumers’ personal data gets packaged and sold. The issue burst into the headlines in 2018 when Facebook revealed that a political marketing firm, Cambridge Analytica, had gained unauthorized access to user data to target political ads in 2016.

There have been other revelations of the misuse of consumer data in the years that followed, including a 2019 disclosure which indicated that as many as 100 app developers retained data from user groups on the platform. 

In June, Google was sued for allegedly violating the privacy of millions of users by tracking their use of the internet via browsers set to “private” browsing mode. The lawsuit seeks at least $5 billion; $5,000 per user or three times actual damages, whichever is greater, according to the complaint.

While consumers overwhelmingly believe companies and the government need to do more to protect privacy, the KPMG survey also found consumers have some responsibility in that area too.

More than 40 percent of those in the survey said they often use the same password for multiple accounts, use public Wi-Fi, or save a card to a website or online store, even though they are aware that it poses a privacy risk.

"Part of the challenge for corporations will be getting employees and customers to do their part in protecting their own data," said Steve Stein, principal, KPMG Cyber Security Services.  

As big tech companies get bigger -- and even smaller players dig deeper into consumers’ personal histories -- a survey suggests that the public is becoming...
Read lessRead more

TikTok makes it algorithms available and says other tech companies should too

The company’s move is bold, but it could make itself look good

TikTok -- the Chinese video-sharing social networking service used by more than a billion people -- says it wants to be transparent. 

Given the recent run of bad luck the company has had with the U.S. government, Amazon, Wells Fargo, and others, there may be a number of doubters who think the idea sounds fishy, but the company seems to think that the only way to reverse its bad luck is by proving that it’s on the up and up.

When TikTok uses the word “transparent,” what it’s saying is that it is taking steps to give outsiders complete access to the algorithms its app uses to categorize and share users’ videos. To add some muscle to its offer, the company says it will let experts “observe our moderation policies in real-time.”

Opening up the algorithm

TikTok CEO Kevin Mayer laid out his vision in a blog post on Wednesday, cheerleading the notion that “fair competition and transparency benefits us all.” Coming clean about TikTok’s issues, Mayer admitted that the app’s Chinese origin is an elephant it can’t seem to get out of the company’s boardroom, 

“With our success comes responsibility and accountability. The entire industry has received scrutiny, and rightly so. Yet, we have received even more scrutiny due to the company's Chinese origins,” Mayer said. He then threw down a challenge to the company’s competitors.

“We will not wait for regulation to come, but instead TikTok has taken the first step by launching a Transparency and Accountability Center for moderation and data practices,” he said. “Experts can observe our moderation policies in real-time, as well as examine the actual code that drives our algorithms. This puts us a step ahead of the industry, and we encourage others to follow suit.”

Angling for a more favorable position

Timing is everything, and that’s not lost of Mayer. The big wigs at Amazon, Apple, Facebook, and Google were in D.C. to face the House of Representatives' Judiciary’s antitrust panel on Wednesday. Even though TikTok officials were spared being grilled in person, it’s pretty likely that the platform’s name will come up before the gavel closes the session.

In the past, Facebook boss Mark Zuckerberg has held up TikTok as an example of why American tech firms need to be free to counter the rise of China. In his prepared remarks, published Tuesday, Zuckerberg brought up the subject of competition between Facebook and its foreign rivals again by claiming that the playing field in China, in particular, is not level.

While Zuckerberg was waiting for his turn in front of legislators on Wednesday, Mayer took the opportunity to take a shot across Zuckerberg’s bow in hopes of making TikTok look like a good guy. 

“Facebook is even launching another copycat product, Reels (tied to Instagram), after their other copycat Lasso failed quickly,” Mayer wrote. “But let's focus our energies on fair and open competition in service of our consumers, rather than maligning attacks by our competitor – namely Facebook – disguised as patriotism and designed to put an end to our very presence in the U.S.”

TikTok -- the Chinese video-sharing social networking service used by more than a billion people -- says it wants to be transparent. Given the recent r...
Read lessRead more

Garmin confirms ransomware attack took down service

After a five-day outage, systems are coming back online

Garmin has confirmed that a ransomware attack was behind a system outage that customers dealt with for five days starting July 23. 

"Garmin is currently experiencing an outage that affects Garmin services including Garmin Connect," the company said in a statement last week. "As a result of the outage, some features and services across these platforms are unavailable to customers."

On Monday, the company said an external cyberattack “encrypted some of our systems” and disrupted many of its services.

“As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications,” the statement read. “We immediately began to assess the nature of the attack and started remediation.”

Garmin said it has “no evidence” that any customer data, including activity and payment information, was compromised or stolen. The fitness tracker and GPS maker said it’s restoring service, but it will take a few days before everything is completely back to normal. 

Sources told tech websites ZDNet, TechCrunch, and Bleeping Computer that the outage was caused by ransomware called WastedLocker, which is run by a cybercriminal group known as Evil Corp. 

Garmin has confirmed that a ransomware attack was behind a system outage that customers dealt with for five days starting July 23. "Garmin is currently...
Read lessRead more

Justice Department charges two Chinese hackers with attempting to steal COVID-19 research

The Department said the hackers were involved in a long-running global hacking campaign

The Justice Department on Tuesday charged two Chinese hackers with attempting to gain access to the United States’ COVID-19 research. 

The Department said the two individuals charged were involved in a global hacking campaign that spanned more than a decade. The hackers recently sought to exploit vulnerabilities in the computer networks of a Massachusetts biotech company carrying out COVID-19 vaccine research. 

In an 11-count indictment, the DOJ alleged that LI Xiaoyu and DONG Jiazhi “conducted a hacking campaign lasting more than ten years to the present, targeting companies in countries with high technology industries, including the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom.” 

The Department said the hackers were trained in computer applications technologies at the same Chinese university. Both individuals were working for the Chinese government’s Ministry of State Security and for their own personal financial gain. 

Targeting sensitive information

The industries allegedly targeted by the pair included high tech manufacturing, medical devices, industrial engineering, business, pharmaceuticals, and defense, among others. The Justice Department said there was at least one instance in which the hackers attempted to extort cryptocurrency by threatening to release the victim’s stolen source code on the internet. 

More recently, the hackers “probed for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments,” the Department said. There is currently no indication that the hackers were successful in obtaining any COVID-19 research. 

The indictment comes in the same month that intelligence officials said Russian hackers had attempted to target organizations carrying out coronavirus vaccine research. The charges filed today are the first to formally accuse foreign hackers of targeting ongoing COVID-19 research in the U.S., according to the Associated Press. 

“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research,” John C. Demers, assistant attorney general for national security, said in a statement.

The Justice Department on Tuesday charged two Chinese hackers with attempting to gain access to the United States’ COVID-19 research. The Department sa...
Read lessRead more

Russian hacking group accused of trying to steal COVID-19 vaccine research

The group is reportedly using malware and spear-phishing attacks

A Russian hacking group is reportedly targeting organizations carrying out research on a COVID-19 vaccine, according to intelligence agencies from the U.S., U.K., and Canada. 

In an advisory published Thursday by the UK National Cyber Security Centre (NCSC), security officials warned that a hacking group called APT29 (also called “the Dukes” or “Cozy Bear”) is targeting health care organizations in the three countries.

The group is using malware and spear-phishing attacks to try to steal coronavirus vaccine research. Officials didn’t say how much vaccine information the Russian group has stolen or how the group’s actions have impacted research efforts.

"APT29's campaign of malicious activity is ongoing, predominantly against government, diplomatic, think tank, healthcare and energy targets to steal valuable intellectual property," a press release on the advisory said.

History of hacking

The hacking group previously carried out a phishing attack on Hillary Clinton’s campaign chairman John Podesta in 2016. 

“APT29 has a long history of targeting governmental, diplomatic, think-tank, health care and energy organizations for intelligence gain, so we encourage everyone to take this threat seriously,” said Anne Neuberger, the National Security Agency’s cybersecurity director.

Dominic Raab, the U.K.’s foreign secretary, said it’s “completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic.”

“While others pursue their selfish interests with reckless behavior, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health,” Raab said in a statement, adding that the U.K. will "continue to counter those conducting such cyber attacks.” 

The NSA said it remains “steadfast in its commitment to protecting national security by collectively issuing this critical cybersecurity advisory as foreign actors continue to take advantage of the ongoing COVID-19 pandemic.” 

A Russian hacking group is reportedly targeting organizations carrying out research on a COVID-19 vaccine, according to intelligence agencies from the U.S....
Read lessRead more

Facebook admits to sharing user data in another personal data gaffe

The problem is fixed, but users have heard that before

Facebook has more egg on its face. Besides the bevy of advertisers pulling their ad dollars over the company’s stance on hateful content, the master spirit of social media has confessed that it erred in sharing the personal data of inactive accounts -- and for longer than it had the authority to do so.

In a blog post, Facebook’s Konstantinos Papamiltiadis, VP of Platform Partnerships, came clean about the mistake, saying that “in some instances” third-party apps collected data from inactive users past the 90-day window that Facebook’s Mark Zuckerberg committed to in the face of the Cambridge Analytics scandal.

What exactly happened

The example that Papamiltiadis used was if someone used a fitness app to invite their friends from their hometown to a workout. He said in an instance like that, Facebook didn’t recognize that some of the user’s friends may have been inactive for several months.

Papamiltiadis estimated that around 5,000 app developers continued to receive some sort of information -- like gender or the language spoken -- but that the company has yet to see any hard evidence that the issue went further than the permissions those inactive accounts originally gave when they signed up for the app.

“We fixed the issue the day after we found it. We’ll keep investigating and will continue to prioritize transparency around any major updates,” Papamiltiadis promised.

Going forward

Whether this is an incident error or an egregious one, Facebook quickly instituted new safeguards to keep this from happening again. 

Those new measures fall under a revision of Facebook’s Platform Terms and Developer Policies, which detail app developers' responsibility to safeguard data and respect people’s privacy when using its platform. Specifically, the company is putting limitations on the information developers can share with third parties without the explicit consent from a user. 

Papamiltiadis said that the updated policy should also strengthen data security requirements and spell out exactly when developers have to delete a user’s data.

Facebook has more egg on its face. Besides the bevy of advertisers pulling their ad dollars over the company’s stance on hateful content, the master spirit...
Read lessRead more

Consumers face big security risks in shift to working from home, study finds

Personal data could be more at risk in this new environment

Millions of Americans have been working from home since late March and are likely to continue doing so well into next year.

While the threat from scammers targeting individuals has been quick to emerge, a new IBM study has found a host of security issues resulting from this new trend that pose risks to corporations and consumers’ personal information.

At the office, employees usually work on highly secure networks with robust safety protocols. At home, the IBM study found employees are using their home WiFi and are often completing work on personal laptops.

‘Long-lasting reality’

Businesses and employees were thrust into the work-at-home world suddenly, with little to no time for planning. The study authors found that most of the employees now working from home had little to no experience doing so before the pandemic closed their offices.

The study authors worry that cybercriminals will have a much easier time breaching an employee’s home security network than they would breaking into a corporate network. They point out that customer service agents who worked in closely managed call centers are now managing sensitive customer data at home.

"Organizations need to use a risk-based approach with work-from-home models, then reassess and build from the ground up," said IBM’s Charles Henderson. "Working from home is going to be a long-lasting reality within many organizations, and the security assumptions we once relied on in our traditional offices may not be enough as our workforce transitions to new, less controlled surroundings."

Henderson says businesses need to be playing catch-up. IBM found that most employees now working from home are confident in their company's ability to keep personally identifiable information secure in this new environment. But 52 percent said they are using personal laptops to work at home, and 45 percent said they haven’t received any specific training.

Policy lapses

The study contains a virtual catalog of additional policy lapses that could expose business and consumer data. Specifically, the study found that:

  • More than half of employees have not been provided with new guidelines on how to handle highly regulated data while working from home;

  • More than 50 percent of respondents don't know of any new company policies related to customer data handling, password management, and other sensitive information;

  • More than 50 percent of new work from home employees are using their own personal computers for business use, but 61 percent say their employer hasn't provided tools to properly secure those devices; and

  • Sixty-six percent of employees have not been provided with new password management guidelines, which could be why 35 percent are still reusing passwords for business accounts.

While there have been no major data breaches reported since employees began working from home, the current trends are not encouraging. A recent analysis by researchers at cybersecurity company Tessian found just over half of home-bound employees are engaging in riskier behavior, such as using email to share sensitive files instead of more secure means of communication. 

Millions of Americans have been working from home since late March and are likely to continue doing so well into next year.While the threat from scamme...
Read lessRead more

Nintendo says 300,000 accounts were hacked

The company says it discovered additional breached accounts after continuing an investigation started in April

Nintendo disclosed on Tuesday that 300,000 accounts have been compromised by hackers since the beginning of April. 

In a statement on its website, originally written in Japanese, the company said a higher number of malicious attackers used users’ Nintendo Network IDs without their permission than previously believed. 

In April, the company said 160,000 accounts were breached. On Tuesday, the company said it found, after continuing its investigation, that the figure is actually around 300,000. However, Nintendo said only a small number of hacked accounts were used to make purchases or to buy items on Nintendo's platform.

Nintendo says credit card information wasn’t exposed, but multiple reports said hackers gained access to “PayPal funds linked to the Nintendo eShop and used them to purchase game currencies like Fortnite’s ‘V-bucks’ and, in some cases, hundreds of dollars worth of games,” the Deseret News reported in April.

Emailing affected users

Nintendo said it is almost done issuing refunds to customers whose accounts were used to make fraudulent purchases. 

Affected users will receive an email from the company urging them to update their passwords. Users can also set up two-factor authentication for additional security. People who previously used a Nintendo Network ID to log in are now urged to use their Nintendo account email address instead. 

When Nintendo first announced the breach, it promised to “make further efforts to strengthen security and ensure safety so that similar events do not occur.” 

Nintendo disclosed on Tuesday that 300,000 accounts have been compromised by hackers since the beginning of April. In a statement on its website, origi...
Read lessRead more

App allows consumers to control the sale of their data to financial institutions

The consumers who opt-in would receive compensation

Rather than have your transactional data used without your explicit knowledge, it’s now possible for consumers to sell it to financial institutions for cash.

Killi, a company providing consumer privacy services, has developed an app that integrates access to over 20,000 financial institutions so that consumers can opt-in to an agreement to share their data.

If they do, they receive compensation from the participating firms, unlike the normal arrangement, when consumers often are unaware that their data is being sold.

“The current market for transactional data is powered by firms that collect data from credit cards and bank cards, and sell it without explicitly informing or compensating the consumer," said Killi founder and CEO Neil Sweeney. 

Consumers may be told their data is being accessed and sold, but Sweeney says the disclosure is usually masked in the fine print. He says companies will sometimes bait consumers by offering points or other amenities in exchange for financial information. However, the payout only represents a fraction of the real value of the data.

Control and transparency

Sweeney says Killi is changing this system by providing consumers with control and transparency on who is purchasing their data while providing them with direct compensation each time the data is acquired. 

“Additionally, by putting explicit consent at the individual user level, Killi also removes privacy, fraud, and fidelity concerns for those that buy the data,” Sweeney said. “Killi gives full transparency to both buyers and sellers. When purchasing data from Killi, you know exactly where this data is coming from and vice versa.”

How much your data could be worth all depends on what kind of data it is. Industry sources say your Facebook data may be among the most valuable.

Congressional interest

A year ago, Sen. Mark Warner (D-Va.) and Sen. Josh Hawley (R-Mo.) proposed legislation to provide more transparency in consumer data transactions by requiring data sellers to tell consumers exactly how much their information is worth.

Killi's Fair Trade Data program appears to come close to that goal. It allows for consumer inclusion in the sale of personal data and provides full transparency for buyers of data to see the exact source of what they are buying.

The program launched in April, and the company says it could play a significant role in the movement toward universal basic income for individuals by establishing a new model that regularly sends money back to the consumer. 

Rather than have your transactional data used without your explicit knowledge, it’s now possible for consumers to sell it to financial institutions for cas...
Read lessRead more

Zoom won’t offer encryption for free users to comply with law enforcement

Free calls won’t be encrypted so that law enforcement can access information in the event of ‘misuse’ of the platform

Video conferencing platform Zoom has confirmed that its free users won’t get end-to-end encryption -- which is strongly recommended by privacy advocates -- because law enforcement may need to access these calls in the event that the platform is “misused.” 

“We think this feature should be a part of our offering” for professional customers, said Zoom CEO Eric Yuan in a meeting with investors Tuesday. “Free users — for sure we don’t want to give [them] that, because we also want to work together with the FBI, with local law enforcement, in case some people use Zoom for a bad purpose.”

The policy has drawn criticism from security experts, who have taken issue with Zoom’s requirement of a payment in exchange for end-to-end encryption. 

“This is a bizarre policy to say the least. Zoom. Perhaps it should have said ‘Y’all free users are just potential criminals. Y’all don’t deserve e2e protection,’” tweeted user PrivacyMatters.

Privacy problems

Zoom has dealt with a number of security issues in recent months, some of which transpired due to the unexpected surge in the number of Zoom users. One such issue was a phenomenon known as “Zoombombing," where hackers infiltrate and disrupt private chats. 

Zoom has also been accused of sending data from users of its iOS app to Facebook and making false claims that video calls were encrypted. Additionally, half a million Zoom accounts have surfaced on the darknet.

In an effort to address security shortcomings, Zoom acquired Keybase, an end-to-end encryption start-up. But based on the latest information, a majority of Zoom calls will remain unencrypted. 

A company spokesperson said that Zoom “does not proactively monitor meeting content, and we do not share information with law enforcement except in circumstances like child sex abuse.” Additionally, Zoom says it doesn’t, and will never, have “backdoors where participants can enter meetings without being visible to others.” 

“Zoom’s end-to-end encryption plan balances the privacy of its users with the safety of vulnerable groups, including children and potential victims of hate crimes. We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.”

Video conferencing platform Zoom has confirmed that its free users won’t get end-to-end encryption -- which is strongly recommended by privacy advocates --...
Read lessRead more

Apple releases update with patch for recently discovered jailbreak

The company has released iOS 13.5.1, which it says ‘provides important security updates’

Apple has released a patch for a jailbreaking tool uncovered last week by hacking group Unc0ver. The group recently found that Apple’s just-released iOS 13.5 could be the target of a new jailbreak which could unlock all iPhones running iOS 11 and above. 

In its release notes for the update, Apple said it “provides important security updates and is recommended for all users.” 

The jailbreak was shared at the end of May, just a few days after Apple released iOS 13.5. The hacking group that discovered it said it utilized exceptions that enabled security to remain intact; programs would keep running separately so they couldn’t access unauthorized data. 

"This jailbreak basically just adds exceptions to the existing rules," the jailbreak’s lead developer told WIRED. "It only enables reading new jailbreak files and parts of the file system that contain no user data."

Experts say jailbreaking -- or the process of hacking an iOS device to get around software restrictions put there by Apple for security purposes -- can potentially open a device to security risks. Jailbreaking a device removes Apple’s security protections and can allow hackers to steal personal information, damage your device, attack your network, or introduce malware, spyware or viruses.

The jailbreak discovered by Unc0ver was said to be the first zero-day jailbreak release since iOS 8.

Apple has released a patch for a jailbreaking tool uncovered last week by hacking group Unc0ver. The group recently found that Apple’s just-released iOS 13...
Read lessRead more

Hacker discovers vulnerability in Apple’s ‘Sign in with Apple’ feature

A security researcher was paid $100,000 for finding the now-patched vulnerability

A security researcher from Delhi discovered a vulnerability in Apple’s “Sign in with Apple” feature, first introduced in June 2019. The flaw could have allowed a malicious party to take over an account with only an email ID. 

Apple paid the person who discovered the vulnerability 100,000 through its bug bounty program. Now that the bug has been fixed by Apple, the person who discovered it -- Bhavuk Jain -- published a disclosure about it. 

“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” Jain wrote. “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.” 

Vulnerability patched

When Apple introduced its “Sign in with Apple” feature in 2019, it touted it as a "more private way to simply and quickly sign into apps and websites." A user could sign up with third-party apps and services without needing to provide their Apple ID email address.

The vulnerability reported on May 30 was eye-opening because it could have allowed an attacker to take over users’ accounts regardless of whether the victim used a valid Apple ID email or not. Forbes noted that the flaw was also a shocker because Apple didn’t discover it during development. 

Jain said he found that he could request authentication tokens for any Email ID from Apple and “when the signature of these tokens was verified using Apple’s public key, they showed as valid.” 

“This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” he wrote. 

Jain noted that an internal investigation carried out by Apple concluded that no account compromises or misuse had occurred before the vulnerability was patched.

A security researcher from Delhi discovered a vulnerability in Apple’s “Sign in with Apple” feature, first introduced in June 2019. The flaw could have all...
Read lessRead more

Hacking group releases new jailbreak for all recent iPhone models

It’s the first zero-day jailbreak release in years

The hacking group behind the “unc0ver” jailbreaking tool has released a new jailbreak tool that unlocks all iPhones running iOS 11 and above, including the most recently released iOS 13.5.

Jailbreaking is the process of hacking an iOS device to break through software restrictions put in by Apple for security purposes. The new jailbreak, which the group named “Unc0ver 5.0.0,” exploits a zero-day vulnerability in the iOS operating system that Apple had not been aware of. 

On its website, the team said the jailbreak utilizes "native system sandbox exceptions,” so security remains intact. Programs keep running separately so they can't access unauthorized data. 

"This jailbreak basically just adds exceptions to the existing rules," Unc0ver told WIRED. "It only enables reading new jailbreak files and parts of the file system that contain no user data."

The jailbreak is said to be the first zero-day jailbreak release since iOS 8.

Apple hasn’t released a statement on the discovery, but the company has a history of working quickly to deliver a patch for vulnerabilities as soon as possible following their discovery.

The hacking group behind the “unc0ver” jailbreaking tool has released a new jailbreak tool that unlocks all iPhones running iOS 11 and above, including the...
Read lessRead more

Mastercard introduces new consumer protections at the gas pump

The company says its an interim measure before all gas pumps have EMV chip technology

To combat the growing plague of credit card fraud at the gas pump, Mastercard has launched a program to protect consumers using payment cards at gas pumps that haven’t upgraded to EMV terminals.

At the same time, Mastercard said it is giving gas stations additional time -- until April 16, 2021 -- to make the change to the more secure system before facing liability for fraudulent transactions.

Scammers have replaced old fashioned credit card skimmers that stole customers credit card numbers with new technology that steals the information digitally. Mastercard reports that fraud at gas pumps made up 17 percent of all credit card fraud losses in the fourth quarter of 2019.

Safer system

The company’s new consumer protection program is aimed at providing the merchant and lenders with tools to help them navigate the heightened risk that this particular brand of fraud is presenting.

“Many fuel companies have made the shift to a safer and more secure EMV environment, and we applaud them for doing so,” said Kush Saxena, executive vice president, US Merchants and Acceptance, Mastercard. “However, we also recognize and respect the complexities to upgrade to safer and more secure EMV transactions at fuel dispensers over the next few months.” 

EMV terminals read an embedded chip on the card containing encrypted data. It is now almost universally used for point-of-sale transactions. It has only been in the last few months that this technology has begun to be added to fuel pumps.

The new Mastercard program provides a differentiated layer of protection that the company believes will make the transition from gas pump transactions using the old swipe card readers more effective and safer.

How it works

Mastercard issuing banks will receive enhanced data on high-risk fraud transactions at fuel merchants and will use that information to decide whether to authorize the purchase. In that way, Mastercard says fraud can be stopped before it starts.

The company’s Safety Net and Fraud Rules Manager programs will be upgraded to aid in their decision-making criteria, providing additional protection for their cardholders at fuel pumps.

In late 2019, Visa issued a security alert warning that gas pump thieves were stealing card information without physically altering the gas pump card reader. Instead, they breached the merchant’s payment network and planted malware to collect the data.

To mitigate gas pump credit card fraud, BP recently introduced an app that can be used to pay for gasoline purchases online without physically using a payment card. The app automatically bills the purchase to the card on file.

Mastercard says upgrading all gas pumps in the U.S. to use EMV technology is the best way to stop scammers in their tracks. It says payment card fraud at U.S. gas stations that installed the new technology fell 88 percent between 2015 and 2019.

To combat the growing plague of credit card fraud at the gas pump, Mastercard has launched a program to protect consumers using payment cards at gas pumps...
Read lessRead more

EasyJet’s hack compromises 9 million customer records

With the pandemic forcing businesses to work at reduced staffing, this seems to be a growing trend

If you’re a traveler who has flown anywhere in Europe using EasyJet, heads up. Tuesday morning, the low-cost London-based airline disclosed that its customer database had been pillaged by a “highly sophisticated” source. 

The airline told the stock market world that unauthorized access to its systems has been completely sealed off. Still, for the 9 million customers who had their email addresses and travel details compromised and the 2,208 customers who had their credit card details exposed, that’s anything but good. The airline said affected customers will be contacted by the airline no later than May 26. 

EasyJet CEO Johan Lundgren said in a statement that the company takes cybersecurity seriously but that “this is an evolving threat as cyber attackers get ever more sophisticated.”

Cyber attacks more common during pandemic

With the pandemic forcing businesses to work with minimum staff, this digital raid might have been expected. 

“It comes as no surprise that well-known organizations who are very publicly affected by the pandemic -- and are known to have furloughed lots of staff -- would be the targets of sophisticated cyberattacks, with the potential to cause significant reputational damage,” Andrew Tsonchev, director of technology at cybersecurity firm Darktrace told CNBC.

While Tsonchev is only speculating, there might be a stick-up that may yet come out of this. “Globally ... we’ve seen an uptick in highly targeted and sophisticated attacks like these,” he said. 

“Access ‘downstream’ to clients and customer data is often the goal of these attacks, as withholding this data secures not only secures a quick ransom payout at a time when companies are keen to keep cost down, but can also provide vital nuggets of information to launch secondary attacks.”

Think you might be affected?

As is pretty much standard in these situations, Lundgren did his best to give the airline’s customers some solace, suggesting that they be “extra vigilant” if they get an email that purportedly comes from the airline or its travel arm EasyJet Holidays. 

ConsumerAffairs has a couple of other smart moves to suggest: If you’ve done ANY business with EasyJet, be on alert for any unusual activity on your credit cards or bank accounts, change passwords for your EasyJet and any related accounts, and check with HaveIBeenPwned to see if your email address has been compromised in this (or any other) data breach.

If you’re a traveler who has flown anywhere in Europe using EasyJet, heads up. Tuesday morning, the low-cost London-based airline disclosed that its custom...
Read lessRead more

NYC schools can once again use Zoom

The city’s Department of Education says Zoom has taken steps to boost security

A month after New York City schools banned the use of video conferencing application Zoom, schools in the city will once again be allowed to use the platform for remote learning purposes. 

The NYC Department of Education (DOE) and Zoom announced on Wednesday that schools and students will now have access to a central NYC Department of Education Zoom account with data encryption and storage settings that the district requested Zoom implement for all its users.

"Our new agreement with Zoom will give your children another way to connect with their schools, teachers and school staff. We are excited to be able to have another safe and secure option for school communities to use during this unprecedented time," NYC Department of Education Chancellor Richard A. Carranza wrote in a letter to families, schools, and students.

Previously banned 

Last month, New York City’s DOE banned the use of Zoom after receiving “various reports documenting issues that impact the security and privacy of the Zoom platform.” The Department advised schools to transition to other platforms for conducting virtual classes, such as Microsoft Teams. 

On the heels of the announcement, Zoom agreed to ramp up its efforts to ensure the privacy and security of its platform, particularly when used by students and teachers. 

Education department officials told Chalkbeat that Zoom has implemented new settings to ensure that only approved participants and guests can join virtual classrooms. This will help prevent occurrences of “Zoombombing,” where a hacker disrupts a meeting with racist remarks, aggressive language, pornographic content or even death threats. 

Stepping up security

Zoom CEO Eric Yuan has stated that his company is working hard to increase security measures following an unexpected surge in users in the wake of COVID-19 business closures. 

In a security announcement posted Tuesday, Zoom said it will soon launch several new features to protect “free basic users.” Here are the new features that will be activated starting May 9: 

  • Passwords will be required for all meetings, including new meetings, previously scheduled meetings, and those using PMI

  • Waiting Rooms for PMI will be turned on by default

  • Screen sharing privileges will be Host Only by default

“These enhanced protections will help enable our free users to securely meet right out of the box,” said Zoom’s Edward Lee. 

After Zoom was banned, the department directed teachers to use alternative tools like Microsoft Teams and Google Classroom. However, not all were happy about this move; critics said it disrupted the learning process, as teachers had to figure out a brand-new tool while already under the pressures of shifting to remote education. 

Schools can continue using Google Classroom or Microsoft Teams if they prefer those tools, but some teachers posted on Twitter to say they were happy to be able to use Zoom again. 

A month after New York City schools banned the use of video conferencing application Zoom, schools in the city will once again be allowed to use the platfo...
Read lessRead more

Apple, Google announce privacy safeguards for COVID-19 exposure app

The program will allow public health authorities to alert consumers of a potential exposure to a person with COVID-19

Apple and Alphabet’s Google announced on Monday that they will disable location tracking in apps that use their coronavirus tracking program, “Contact Tracing,” with the aim of ensuring user data is protected. 

Apple and Google announced the new program in April, saying it would allow them to send alerts to consumers who may have been in contact with someone who was exposed to COVID-19. The companies said the goal of the program was to slow the spread of the novel virus and help facilitate society’s return to normal. 

The companies said at the time that user privacy and security was “central to the design” of the program, although Apple did say it would collect “some information.” After the program was announced, the Senate Finance Committee raised concerns about the privacy implications of the program. 

Apple assured senators that Contact Tracing was developed with layers of “technical and administrative safeguards” to protect data as it’s being transported. Additionally, the company said only authorized public health authorities would be allowed access to that data. 

‘Privacy-preserving’ tech 

On Monday, the two companies announced that they would ban the use of location tracking in apps that use the program. Apple and Google said their priority is protecting user privacy and preventing governments from using the system to collect data on consumers. 

The program uses Bluetooth signals from people’s phones to detect encounters, but it doesn’t use or store GPS location information. Apple and Google said Monday that they will allow only one app per country to use Contact Tracing to avoid fragmentation between different systems and allow all smartphones to work together.

The companies are expected to push the new software to consumers’ smartphones automatically later this month. 

“All of us at Apple and Google believe there has never been a more important moment to work together to solve one of the world’s most pressing problems,” the companies said in a statement. “Through close cooperation and collaboration with developers, governments, and public health providers, we hope to harness the power of technology to help countries around the world slow the spread of COVID‑19 and accelerate the return of everyday life.” 

Apple and Alphabet’s Google announced on Monday that they will disable location tracking in apps that use their coronavirus tracking program, “Contact Trac...
Read lessRead more

Google bans use of Zoom on employee computers

Following a boom in popularity, Zoom is facing backlash over its security shortcomings

Google is banning the use of video conferencing application Zoom by its employees due to security concerns. 

The number of Zoom users ballooned recently after more Americans began working remotely to slow the spread of the coronavirus. But after use of the platform surged, it became evident that Zoom’s security measures weren’t enough to support its new popularity. 

On Wednesday, Buzzfeed reported that Google sent its employees an email last week telling them that if they had the Zoom app installed on their work computers, they would soon find that the software no longer functioned.  

“We have long had a policy of not allowing employees to use unapproved apps for work that are outside of our corporate network,” a Google spokesperson told Buzzfeed. “Recently, our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees.” 

The spokesperson added that employees who have been using Zoom to stay connected with family and friends can “continue to do so through a web browser or via mobile.”

Security vulnerabilities 

As Zoom’s traffic dramatically increased, so did incidents of harassment on the platform. “Zoombombing” -- where a hacker disrupts a meeting with racist remarks, aggressive language, pornographic content, or even death threats -- has rattled Zoom users and prompted the FBI to issue a statement saying the offense is “punishable by fines and imprisonment.” 

Other Zoom vulnerabilities have included undisclosed data sharing with Facebook, exposed Zoom recordings and LinkedIn profiles, and a “malware-like” installer on the Mac version of the app.

In light of the apparent privacy issues, New York City’s Department of Education recently announced that educators who use Zoom as a platform to teach remotely would need to gradually transition to other virtual classrooms in light of the security vulnerabilities on Zoom. 

The DOE said it received “various reports documenting issues that impact the security and privacy of the Zoom platform.” 

“Based on the DOE’s review of these documented concerns, the DOE will no longer permit the use of Zoom at this time,” the Department said last week. “Schools should move away from using Zoom as soon as possible.” 

Zoom founder and CEO Eric Yuan said in a recent blog post that supporting the influx of users has been a “tremendous undertaking,” but his company is doing everything it can to strengthen security measures. Zoom said it would temporarily pause new features on the app for 90 days while it focuses on improving security and privacy. 

Google is banning the use of video conferencing application Zoom by its employees due to security concerns. The number of Zoom users ballooned recently...
Read lessRead more

Two new Zoom vulnerabilities discovered

As its use soars, the app’s security is being called into question

A former NSA hacker has discovered two new security vulnerabilities in the Mac version of the popular video conferencing application Zoom, TechCrunch reports 

Patrick Wardle, who is now principal security researcher at Jamf, published a blog post Tuesday detailing his discoveries. 

Wardle noted that Zoom is “well on its way to becoming a household verb” since so many people are now working from home while riding out the current health crisis. However, he says users “may want to think twice” about using the macOS version of the app in light of his findings.

Privilege escalation

The first of the two zero-day vulnerabilities enables an attacker to exploit Zoom's insecure install settings to gain “root” privileges.

“Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing,” TechCrunch noted.

The second bug enables an attacker to inject malicious code into Zoom that will give the attacker access to the webcam and microphone. 

“No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video,” wrote Wardle.

To exploit either of the bugs, an attacker would need to have physical access to a computer running Zoom’s macOS client. With people being encouraged to practice social distancing to mitigate the spread of the coronavirus, the vulnerabilities may not pose a significant security threat.

“However if you value either your (cyber) security or privacy, you … should avoid using the macOS version of the app, as neither of these essential values seem to be part of their ethos,” Wardle said.

Security under scrutiny

The discovery of the two new flaws comes on the heels of another vulnerability found in Zoom. Security researchers recently found a Zoom bug that gives an attacker the ability to steal Windows login credentials. 

The platform is currently being investigated by New York Attorney General Letitia James, who has set out to ensure that the company’s data privacy and security practices are sufficient as its use soars. 

In a letter to Zoom, James described the platform as “an essential and valuable communications” tool. However, she expressed concern that the company has been slow to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.”

A former NSA hacker has discovered two new security vulnerabilities in the Mac version of the popular video conferencing application Zoom, TechCrunch repor...
Read lessRead more

Marriott announces second major data breach in two years

More than 5 million guest records were stolen in the latest breach

For the second time in two years, Marriott International has disclosed that it suffered a massive data breach. The most recent breach of consumer data, which was disclosed on Tuesday, affects roughly 5.2 million guests. 

Information compromised in the breach included names, contact details, and addresses. The hotel chain said the data may have been accessed starting in January via the login information of two employees. 

“At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” the company said in a statement. “We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.” 

Marriott said its investigation into the matter is ongoing. However, company officials said they have “no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.” 

Affected customers received an email on Tuesday informing them of the discovery. Marriott has also set up a website where guests can submit a request to see if their information was involved in the breach. 

Second incident in two years

In 2018, Marriott announced that it suffered a data breach involving the names, addresses, contact information, and passport numbers of over 300 million guests who checked into one of its Starwood hotel locations. The company said at the time that an investigation revealed that unknown parties gained access to the database at some point during 2014. 

Following the most recent breach, Marriott outlined a number of steps that impacted guests can take to protect their information. The company said affected Marriott Bonvoy members will have their accounts automatically disabled and will need to change their password the next time they log in. 

For all guests who think they may have been affected, Marriott recommends signing up for credit monitoring, changing your password, enabling two-factor authentication, and keeping a lookout for potential fraud emails.

Room for improved cybersecurity practices

The latest breach calls into question improvements made in security in the wake of the breach that occurred in 2017, said Tyler Moffitt, a senior threat research analyst at Webroot

“While this breach is not as widespread as the previous incident, it is still worrisome, with names, phone numbers, emails and other sensitive information released,” Moffitt told ConsumerAffairs. 

“This second offense is apparently the result of two employees' credentials improperly accessing guest information, which further amplifies the need for companies to be aware of malicious insiders and put better cybersecurity practices into place for credential abuse and permissions.” 

Regardless of whether they are affected by this particular breach, consumers “need to be wary of the personal information they share with companies and make sure it’s protected, including regularly updating passwords and implementing credit monitoring,” Moffitt said.

For the second time in two years, Marriott International has disclosed that it suffered a massive data breach. The most recent breach of consumer data, whi...
Read lessRead more

Zoom’s privacy practices questioned by New York Attorney General

Consumers need to know exactly what data they’re letting platforms see and use

As the spread of COVID-19 forced the world to start hunkering down from home and using technology like videoconferencing to hold virtual meetings, religious services, and family get-togethers, remote conferencing service Zoom has taken off like a rocket. In Italy alone, during the peak week of its crisis, the Zoom app was downloaded more than a half-million times.

Getting lots of love is welcome at any technology company, but Zoom’s rise has created a lift-the-covers look-see from New York Attorney General Letitia James, who wants to make sure the company’s data privacy and security practices are up to snuff.

According to the New York Times, the Attorney General’s office sent Zoom a letter pointedly asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers.

Who’s zooming who?

While the Attorney General says her office regards Zoom as “an essential and valuable communications platform,” her letter details several concerns. James suggests that the company has slacked on its efforts to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams” -- a novelty some refer to as “Zoombombing.” 

Unfortunately, this novelty is anything but fun. It has allowed mavericks to take advantage of a Zoom screen-sharing feature to hijack meetings and butt in on educational teleconferences and Sunday School group meetings. Some hackers have even gone so far as posting white supremacist messages while a webinar on anti-Semitism was going on. 

Someone bringing up the subject of security flaws is nothing new to Zoom. In July, 2019, security research company Checkpoint Research notified Zoom that it had detected a flaw in the company’s system that “allowed a threat actor to potentially identify and join active meetings” by using randomly generated meeting IDs. When Checkpoint tested out the hackers’ method, it was able to successfully mimic that break-in technique roughly 4 percent of the time. 

In response, Zoom made changes that would keep those bad actors from joining meetings at their will by building in a trigger that would cause hackers’ devices to be blocked for a period of time if they repeatedly attempted to scan for meeting IDs. 

Zoom updates its privacy policy

ConsumerAffairs thought it might be interesting to take a comparative look at Zoom’s privacy policy as of March 29 -- about the time the company should have received the AG’s letter -- to see how it framed its privacy policy a week or so before (March 18, 2020). What we found indicates that Zoom has taken a much harder look at how it articulates what its users should expect when it comes to privacy and what uses the company allows for itself.

To its credit, Zoom made its policy easier to understand and more straightforward. For example, it did away with the whitewashing of how it went about data collection and scrapped gauzy phrases like: “We use this information to offer and improve our services, trouble shoot, and to improve our marketing efforts.” 

One big change that ConsumerAffairs found to be more consumer-friendly was dispensing with the laundry list of bullet points and paragraphs detailing its privacy policy and going with a table where the company laid out a far more understandable portrayal of what data it collects, examples, and how it uses that information. You can find the company’s revamped privacy policy on its website here.

As the spread of COVID-19 forced the world to start hunkering down from home and using technology like videoconferencing to hold virtual meetings, religiou...
Read lessRead more

Google Chrome hack generated fake update to compromise users’ devices

Antivirus developers are scrambling to find a fix, but Google is also offering assistance worried computer users

One would never think that an antivirus software company in Russia of all places would be coming to the rescue of the United States’ biggest tech company, Google. But believe it or not, it’s true.

Virus analysts at Moscow-based Doctor Web found that cybercrooks had found an open backdoor in a recent Google Chrome update and were able to squeeze through that hole and ravage online news blogs and corporate pages that were built using WordPress’ content management system (CMS).

If the victims fall for the trick and install the "updates," they'll actually be installing TeamViewer, a legitimate remote-desktop tool that gives the hackers real-time remote control of your computer,” saysPaul Wagenseil, a security expert at Tom’sGuide.

“They'll also install a script that makes sure that the Microsoft Defender antivirus software built into Windows is unaware of what's going on.”

Think you might have fallen prey?

As you can imagine, this new wrinkle has set antivirus developers scrambling for a fix. If you use antivirus software, you’d be smart to contact them directly and ask about Chrome Update 80.0.3987.149.

If you don’t have antivirus software installed, one potential way ConsumerAffairs found to mitigate the issue is to go directly to Google’s Chrome “Stable Channel Update for Desktop.” There, you’ll find updates as they happen and a community help forum where you can find help from peer Google Chrome users.

One would never think that an antivirus software company in Russia of all places would be coming to the rescue of the United States’ biggest tech company,...
Read lessRead more

More than 50 malicious children’s and utility apps found on Google Play

Google has removed the apps, but Android users need to double-check their phones to see if they’ve downloaded any of the culprits

While the world is trying to find a way to stave off the coronavirus, there’s a new digital lowlife set on upending the lives of Android users.

Security researchers have identified a new, interconnected malware “family” that was operating in 56 applications on the Google Play store. The apps in question were downloaded close to 1 million times worldwide.

“Although Google has taken steps to secure its Play store and stop malicious activity, hackers are still finding ways to infiltrate the app store and access users’ devices,” cyber threat intelligence firm Checkpoint said

“Millions of mobile phone users have unintentionally downloaded malicious apps that have the ability to compromise their data, credentials, emails, text messages, and geographical location.”

The attack mode

Checkpoint believes the goal of this digital dastard -- aka “Tekya” -- is mobile ad fraud. Once in a user’s system, it mimics an app user’s actions and secretly clicks on ads and banners within an app.

Ad fraud can be committed in many ways -- from faking the number of installs of a certain app to generating views or impressions that never took place -- all in hopes of hoodwinking an advertiser into buying ads on apps that the people behind Tekya are somehow connected to.

What are the apps and what should you do?

Of the 56 affected apps, Checkpoint says 24 of them are children’s games -- e.g. “Cooking Delicious” and “Race in Space.” Another 32 are utility apps for things like weather and translation. A complete list is available on Checkpoint’s website.

Consumers who want to protect themselves from this malicious scheme should search for any of the suspicious apps are on their phone and take the following recommended steps:

  1. Uninstall the infected application from the device

  2. Install a security solution to prevent future infections

  3. Update your device Operation System and Applications to the latest version

Google has yanked the suspicious apps from its app store to protect its user base. However, if the past is any indication, the odds are good that more digital cockroaches will find another way to use Google Play as an inroad to do their dirty work. 

Going forward, Ravie Lakshmanan at TheHackerNews offered what ConsumerAffairs thinks is sound advice for Android users. 

“To safeguard yourself from such threats, it's recommended that you stick to the Play Store for downloading apps and avoid sideloading from other sources,” Lakshmanan wrote. “More importantly, scrutinize the reviews, developer details, and the list of requested permissions before installing any app.”

While the world is trying to find a way to stave off the coronavirus, there’s a new digital lowlife set on upending the lives of Android users.Security...
Read lessRead more

Proposed legislation would bar TikTok from government devices

Republican lawmakers claim the Chinese-made app is a security threat

Young people seem to love the TikTok app, but two Republican lawmakers say it has no place in the U.S. government workplace.

Senators Josh Hawley of Missouri and Rick Scott of Florida have introduced legislation that seeks to ban employees at the State Department and Department of Homeland Security from accessing the app on official government devices.

“TikTok is owned by a Chinese company that includes Chinese Communist Party members on its board, and it is required by law to share user data with Beijing,” Hawley said. “ As many of our federal agencies have already recognized, TikTok is a major security risk to the United States, and it has no place on government devices.”

TikTok is a platform for the display of short videos. Scott said that when government employees access TikTok on government devices, it poses a threat to national security. 

TikTok is very popular among American teenagers, but its use among middle-aged government employees has yet to be demonstrated. In 2019, the company said its 26.5 million monthly active users in the U.S. averaged in age between 16 and 24.

But the app came under closer U.S. government scrutiny last year after its parent company spent $1 billion to acquire the U.S. social media app Musical.ly.

‘Concern unfounded’

A spokesman for TikTok dismissed the legislation, saying the lawmakers’ concerns are unfounded. The company said it plans to open a “transparency center” in the U.S. to give technology experts better insight into the company’s privacy practices.

In December, TikTok was accused of gathering American users’ data and transferring it to servers in China. The company vigorously denied the charges. A month earlier, the U.S. Army said it would launch a security assessment of TikTok with the aim of allaying concerns raised by Sen. Chuck Schumer (D - NY) and other officials.

"National security experts have raised concerns about TikTok's collection and handling of user data, including user content and communications, IP addresses, location-related data, metadata, and other sensitive personal information," Schumer wrote in a November 7 letter to Army Secretary Ryan McCarthy.

TikTok says it doesn’t store user data in Chinese servers. Rather, it says it stores all U.S. user data in the U.S., with backups in Singapore.

Young people seem to love the TikTok app, but two Republican lawmakers say it has no place in the U.S. government workplace.Senators Josh Hawley of Mis...
Read lessRead more

MGM Resorts data on over 10 million guests found on the dark web

The company says payment details were not compromised

Hackers who seized personal data from more than 10 million guests at MGM Resorts last year are now trying to cash in by selling that information to the highest bidders.

Technology publisher ZDNet reports that it found personal details on the breach victims listed on a hacking forum this week. The information includes personal and contact information on guests, including well-known celebrities and business executives.

ZDNet said it has independently verified that the information seen online is authentic.

“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts”, a company spokesman said in a statement to the media. People compromised by the hack have been notified, the company said.

MGM Resorts said it has contracted two cybersecurity forensic investigative companies to help the company fully understand how the security breach occurred. It said it has also begun beefing up its network security to prevent future intrusions.

Data breaches are racking up

The spokesman said the leaked data did not include payment information, which was included in recent hacks of convenience store chains Wawa and Rutters. The Wawa hack, affecting 30 million customers, was reported in December. By late January, much of the data was for sale on the dark web.

Hackers began advertising the card data for sale on sites known to be used by hackers. Experts at Gemini Advisory, a threat intelligence firm, said the source of the card data was confirmed as coming from Wawa.

Hackers have been able to make a handsome profit when they market stolen data on the dark web, but the sheer volume of this information has made it more difficult to find buyers in recent years.

Late last year, researchers came across a huge collection of data on a poorly guarded server and notified authorities before it could be compromised. The data belonged to consumers in Canada, the U.K., and the U.S. and included phone numbers and social media profiles. Social Security numbers, passwords, and credit card numbers were not found.

Hackers who seized personal data from more than 10 million guests at MGM Resorts last year are now trying to cash in by selling that information to the hig...
Read lessRead more

Hackers lived inside of Citrix’ network for five months, the company confirms

Information from many of the nation’s top companies may have been up for grabs

A new story about Citrix Systems proves that no one is safe from hackers and digital con artists.

One would think that a software company known for networking, software as a service (SaaS), and cloud computing might be super vigilant. But, it appears that no person or company is immune. Citrix has confirmed that some nasty hackers were roaming through its networks for five months between 2018 and 2019, grabbing the financial and personal data of Citrix employees, contractors, and even interns and dependents of employees. 

The company says the hackers may have also made off with Social Security Numbers, other tax ID numbers, driver’s license numbers, financial account numbers, payment card numbers, passport numbers, and health claims information like provider names and dates of service.

It took Citrix almost a year to come clean about the intrusion. In a February 10, 2020 letter to those who may have been affected, Citrix divulged that the attackers “had intermittent access” to Citrix’s internal network between Oct. 13, 2018 and Mar. 8, 2019. However, it stated there was zero evidence that hackers remained in the company’s systems.

Why a letter? Actually, there’s a law in most U.S. states that requires any company to notify affected customers about hacking incidents. Citrix’s letter was prompted by laws in virtually all U.S. states that require companies to notify affected consumers of any incident that may have compromised their personal data. Plus, the Federal Trade Commission (FTC) has an additional breach notification rule for any business that collects health-related information.

Password spraying

Rewinding back to March, 2019, Krebs on Security reports that the Federal Bureau of Investigation (FBI) alerted Citrix about the potential incursion, saying that the hackers probably got into Citrix’ networks using a technique called “password spraying.” 

Password spraying is an attack mode that tries to make its way into large databases of usernames by using a few commonly used passwords, such as “Password1.” The reason that technique is used is because it allows the hacker to remain hidden and avoid account lockouts.

A new story about Citrix Systems proves that no one is safe from hackers and digital con artists.One would think that a software company known for netw...
Read lessRead more

Ring adds more security features following data breach

Users will need to enable two-factor authentication to use the service

Users of the Ring video doorbell are likely seeing a new update from the company that seeks to update and improve the device’s security. 

The company announced this week that it was adding more security measures to users’ accounts to ensure that they stay protected from hackers and other malicious actors. The move follows a massive breach that allowed hackers to steal sensitive information and control the devices of more than 3,600 device owners. 

“At Ring, our mission is to make neighborhoods safer and we strive to give our customers the peace of mind that comes from knowing their homes are more secure. Delivering you privacy, security and control are foundational to achieving our mission,” the company stated. 

“That’s why we’re listening to what you, our customers, are saying and taking additional steps to help you feel confident that your home and personal information are safe when you use our products.”

Mandatory two-factor authentication

Under its new privacy stance, the company is requiring all users to enable two-factor authentication. It says the new level of security will be required when users log in to their accounts and will help verify that hackers haven’t improperly gained access. 

The process works much like any other two-factor authentication system. When users attempt to log in to their device, a six-digit code will be sent to their phone or another device that will be needed to gain access. 

Additionally, the company says it will be keeping another new security feature implemented in December that alerts users every time someone tries to log in to their account. The idea is that users will quickly be able to recognize if someone is targeting their Ring account so that the issue can be resolved and reported quickly.

Security recommendations

In its announcement, Ring also provided a list of best security practices that it says will help keep users’ accounts secure. The list follows:

  • Don’t reuse passwords between your various online accounts – instead, generate unique, strong passwords for each account.

  • Keep your phone numbers and email addresses up to date on your various online accounts.

  • Add a PIN or passcode to your smartphone account to help prevent unauthorized changes to your mobile account. You can do this by logging into your mobile phone account or calling your wireless carrier.

  • Upgrade to the latest version of your apps and operating systems, including the latest Ring apps.

  • View and manage your trusted devices in your “Authorized Client Devices” section of Control Center on your Ring app.

  • Add Shared Users to your Ring account instead of sharing your login credentials. You can also view and manage Shared Users in Control Center