WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • Windows 11 Sends Massive Amounts of Data to Ad Companies

    Windows 11 Sends Massive Amounts of Data to Ad Companies

    The PC Security Channel (TPSC) analyzed Windows 11 and found it sends massive amounts of user data to Microsoft, as well as third-party ad companies.

    TPSC is a YouTube channel dedicated to cybersecurity and privacy. The channel took a brand-new laptop that had never been used and used Wireshark to monitor the computer’s traffic, starting from the moment it was booted up.

    Unsurprisingly, the computer immediately connected to a number of Microsoft services, including Bing, MSN, and the Windows Update service. While it’s not surprising a Windows machine would connect to Microsoft, it is surprising that the Bing traffic was happening without the web browser ever being opened or used.

    Even more surprising, Windows 11 also connected to McAfee, Steam, and Comscore’s ScorecardResearch.com, to name just a few. The last one is particularly alarming, as it is an ad-tech company. In fact, when TPSC first tried going to the website to see what ScorecardResearch.com was, the channel’s browser adblocker would not even load the page since it is a known ad and tracking domain.

    To make matters worse, Microsoft connects and sends data to these servers without expressly asking the user’s permission. Instead, the company relies on a vague clause in the Microsoft License Terms to constitute permission.

    Privacy; Consent to Use of Data. Your privacy is important to us. Some of the software features send or receive information when using those features. Many of these features can be switched off in the user interface, or you can choose not to use them. By accepting this agreement and using the software you agree that Microsoft may collect, use, and disclose the information as described in the Microsoft Privacy Statement (aka.ms/privacy), and as may be described in the user interface associated with the software features.

    Tom’s Hardware reached out to Microsoft and was given the following statement:

    “As with any modern operating system, users can expect to see data flowing to help them remain secure, up to date, and keep the system working as anticipated,” a Microsoft spokesperson said. “We are committed to transparency and regularly publish information about the data we collect to empower customers to be more informed about their privacy.”

    A legitimate case can be made for Windows 11 connecting to Microsoft services, but there is absolutely no valid justification for connecting to and sending telemetry to an ad-tech company.

    Interestingly, TPSC ran the same test with Windows XP and found that it only connected to Microsoft update servers, greatly undermining Microsoft’s claim that Windows 11’s connections to third parties were necessary to “remain secure, up to date, and keep the system working as anticipated.”

    As we have stated at WPN many times, there is NO EXCUSE for a company that charges handsomely for a product to then turn around and try to monetize its customers’ data, let alone try to do so without express and explicit permission. And no, a couple of sentences buried in a long, legalese licensing document that few people will ever read does not count as express and explicit permission.

    Microsoft should be ashamed of itself for this behavior, and one can only hope this revelation will put the companies in the crosshairs of the EU’s GDPR.

    In the meantime, TPSC’s question, “Has Windows become spyware?” is one that deserves an answer.

  • Reddit Was Hacked, but Says User Data Is Safe

    Reddit Was Hacked, but Says User Data Is Safe

    Reddit has informed users that it was hacked Sunday night, but says user accounts and passwords appear to be safe.

    According to the social media company, its employees were targeted by a “sophisticated phishing campaign” that pointed employees to a website that attempted to steal their credentials.

    After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).

    Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.

    Hopefully the scope of the breach remains limited to Reddit’s initial findings.

  • Three Safety Precautions You Must Make When Sending Money Online

    Three Safety Precautions You Must Make When Sending Money Online

    Sending somebody an online payment has become easier than ever these days. Whether you need to pay for a product or service, repay a friend for lunch, or pay your mom back some money that you borrowed, there are now more apps and services available that you can use to do this in a couple of clicks.

    Online money transfer apps and services are also very popular among people who have moved to another country for work, as they will often use them to send some money back to help out family back home. However, with the growing popularity of online money transfer services, there are also lots of scams and risks. Here are some of the best things that you can do to keep yourself safe when transferring money online. 

    Use a Trusted Payment Provider

    The best way to stay safe when sending payments online is to use your online banking app to only make transfers to verified accounts. Make sure that you know the person that you are sending money to and have received the account information from them personally. However, if you are unable to use your online banking to make the transfer, for example, if you are sending money abroad to family back home, then it’s important to use a reputable and trusted international money transfer app such as Ria Money Transfer 

    Make Sure You Know Who You Are Sending Money To

    Only send money to people that you can verify as real. Make sure that you know the person that you are sending money to. It’s best to speak to them in-person wherever possible to get their account details to transfer to. If using a payment app, you may be able to add an additional layer of security by sending it via their email address, which you can verify first. Be wary of any emails or text messages requesting money, even if it appears to be from somebody that you know. A video call or phone call to confirm the information is a good idea, and will enable to you to make sure that it’s actually your relative or friend who has requested the money, and the details you have are correct. 

    Use An Anti-Virus Program

    Whether you are using an app on your smartphone or another device such as a laptop or tablet to send money to friends and family, it’s a good idea to ensure that you are protected with a strong anti-virus software program. This will scan your device and any software on it to keep a look out for any malicious software or viruses like spyware that might be attempting to get access to your financial accounts or the login details for the payment apps you use. Ideally, you should have the program running in the background at all times so that it can immediately alert you to anything that isn’t right. 

    Sending money online has become a common occurrence in today’s world with most of us doing it. However, it’s important to be aware of the risks involved with sending money online each time you make a transfer. 

  • Privacy and Cybersecurity Challenges in 2023 – Part One

    Privacy and Cybersecurity Challenges in 2023 – Part One

    With a new year comes new privacy and cybersecurity challenges for companies large and small, not the least of which is new regulation. The tech industry is facing new regulations in 2023, some of which will have profound impacts on day-to-day business and carry heft penalties for non-compliance.

    Here’s some of the top regulatory issues companies need to be aware of:

    Voluntary Cooperation Is Out; Regulation Is In

    One of the major changes moving forward in 2023 is an expected change in the US government’s approach to cybersecurity. In the past, the government was largely willing to allow companies to handle cybersecurity issues on a voluntary basis, but those days appear to be over.

    The White House Office of the National Cyber Director is expected to unveil major new initiatives in the first half of 2023, and many of them will be mandatory.

    “We’ve been working for about 23 years on a largely voluntary approach,” said Mark Montgomery, the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “The way forward is going to require thinking about regulation.”

    California Consumer Privacy Act of 2018

    One of the biggest regulatory challenges businesses will face is the California Consumer Privacy Act of 2018 (CCPA), including the Proposition 24 amendments that were passed in 2020 and expanded the scope of the CCPA.

    Per the California Attorney General’s office, the CCPA guarantees the following rights:

    • The right to know about the personal information a business collects about them and how it is used and shared;
    • The right to delete personal information collected from them (with some exceptions);
    • The right to opt-out of the sale or sharing of their personal information; and
    • The right to non-discrimination for exercising their CCPA rights.

    In addition, the Proposition 24 amendments add the following:

    • The right to correct inaccurate personal information that a business has about them; and
    • The right to limit the use and disclosure of sensitive personal information collected about them.

    The latter two rights, in particular, are of special note since they went into effect on January 1, 2023.

    Most important, however, is a provision that allows customers to take legal action against companies that fail to properly protect their data and expose such data as a result of a breach. This places a tremendous responsibility on companies to ensure all possible measures are being taken to reduce their possible liability.

    Increased GDPR Enforcement

    Another major hurdle many businesses will face is increased enforcement of the European Union’s GDPR. While the GDPR has been in effect for years, companies on both sides of the Atlantic have largely ignored some of its provisions.

    The EU sent a clear message in 2022, however, that companies will continue to ignore the GDPR at their own peril. For example, in January 2022, the Austrian Data Protection Authority ruled that Google Analytics violated the GDPR and was therefore illegal, impacting countless EU-based companies and websites.

    At the heart of the issue is the protection of EU citizens’ data when it is in the hands of US-based companies. The EU is especially concerned that US intelligence agencies could have unwarranted access to such data. While the US and EU are working to establish a new data-sharing deal that would address such concerns, such a deal is still a ways off, leaving companies to navigate the complicated situation on their own.

    In the meantime, the EU has made it clear it will continue to go after companies that ignore its privacy and cybersecurity regulations.

    “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice,” says Max Schrems, honorary chair of The European Center for Digital Rights. “Many EU companies have followed the lead instead of switching to legal options.”

    General Issues

    In addition to the above specific concerns, there are a number of general concerns companies face. Ransomware attacks have been a growing threat in recent years, especially attacks that target vital infrastructure.

    As a result of the growing threat, cybersecurity has been a major focus of the Biden administration, with multiple executive orders, memorandums, and fact sheets addressing the issue. Some of these include unprecedented requirements, including mandatory measures to improve the overall cybersecurity of US businesses and agencies.

    Dealing With the Challenges

    Understanding the challenges is just the first step in properly preparing for and dealing with them. In Part Two of this series, we’ll look at some specific steps companies and organizations can take.

  • Google Fi Impacted by Latest T-Mobile Breach

    Google Fi Impacted by Latest T-Mobile Breach

    T-Mobile’s latest data breach may have cast a wider net than previous ones, with Google Fi customers among those impacted.

    T-Mobile alerted customers in mid-January that it had been hit by a data breach, one that impacted some 37 million customers. However, it appears T-Mobile’s customers weren’t the only ones affected.

    Google Fi has sent a notice to its customers indicating their data may also have been included in the T-Mobile breach. Below is the email customers received, via 9to5Google:

    Dear Google Fi customer,

    We’re writing to let you know that the primary network provider for Google Fi recently informed us there has been suspicious activity relating to a third party system that contains a limited amount of Google Fi customer data.

    There is no action required by you at this time.

    This system is used for Google Fi customer support purposes and contains limited data including when your account was activated, data about your mobile service plan, SIM card serial number, and active or inactive account status.

    It does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver’s license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi, or the contents of any SMS messages or calls.

    Our incident response team undertook an investigation and determined that unauthorized access occurred and have worked with our primary network provider to identify and implement measures to secure the data on that third party system and notify everyone potentially impacted. There was no access to Google’s systems or any systems overseen by Google.

    If you are an active Fi user, please note that your Google Fi service continues to work as usual and was not interrupted by this issue.

  • JD Sports Notifies Customers of a Data Breach

    JD Sports Notifies Customers of a Data Breach

    JD Sports has notified customers of a data breach, although it says “the affected data is limited.”

    JD Sports published a notice on January 30 that it had suffered a “cyber incident” in which a hacker gained unauthorized access to customer data involving online orders that were placed between November 2018 and October 2020. Despite the amount of data accessed, the company says the data does not include full payment information, nor does it have any reason to believe account passwords were breached.

    Despite the reassurance, the company says the compromised data does include “the name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards of approximately 10 million unique customers.”

    “We want to apologise to those customers who may have been affected by this incident,” said Neil Greenhalgh, JD Sports CFO. “We are advising them to be vigilant about potential scam e-mails, calls and texts and providing details on how to report these. We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD.”

  • Lessons From the Latest Cyber Incidents

    Lessons From the Latest Cyber Incidents

    The LastPass data breach. Ransomware on The Guardian and Royal Mail. Hackers exploiting the platform CircleCI with zero-day malware.

    January is not even over and major hacking incidents or the aftermath of last year’s exploits have already been headlining the news.

    Some malicious cyber activity took place in December that has been discovered now or not yet remedied. Other major cases such as Royal Mail are still ongoing.

    What can others learn from these major incidents and how can endpoint security, anti-ransomware solutions, and phishing prevention aid companies to secure their most valuable assets?

    Royal Mail: Long Road to Recovery After Nightmare Ransomware

    The type of malware that encrypts files to demand ransom (mostly in crypto) in exchange for regaining access to documents is known as ransomware.

    Behind these major cases are malicious ransomware groups such as LockBit, Black Cat, and Hive. Most of them operate from Russia due to a lack of sanctions for this type of criminal activity in the country.

    On January 10, Royal Mail, the major British distribution service, was targeted with ransomware.

    A member of the ransomware gang LockBit has confirmed that they are behind this damaging cyber attack.

    The aftermath of the hack is still ongoing and sending or receiving international parcels has been disabled for a week. The company is working on restoring its services.

    Businesses that rely on the shipments via Royal Mail have already said that they’re been losing their ratings, customers, and lack of service is already causing major financial losses.

    The Guardian: Phishing Is Not Going Anywhere Anytime Soon

    Social engineering techniques are often the first step for cybercriminals because it’s easier to “hack” people than systems that are protected with all types of security measures and solutions.

    The most common type of social engineering is phishing.

    Hackers use emails, social media, or phone calls to target their victims and pressure them to either click the infected link that leads to the infected link, download malware hidden in the attachment, or reveal their passwords.

    To prevent it, companies invest in advanced tools that filter emails and phishing awareness training that teaches teams to recognize the most common phishing attempts.

    On December 20, The Guardian Media Group discovered the cyber incident within their network. It was identified as ransomware and they said that the malware infected their system following the successful phishing campaign.

    Luckily, workers could continue their work and publish digitally and via the app.

    The bad news was that private information of the UK staff has been obtained by the threat actor. The data of readers and subscribers haven’t been accessed by the malicious actor.

    However, their IT systems have been disrupted (internal WiFi was taken down) and until that is remedied completely workers have to telecommute until February.

    CircleCI: Mind Your Endpoint Security

    With the rise of remote work, the security of all of the devices workers use to connect to the company’s network (AKA endpoint devices) is essential for preventing cyberattacks.

    Employees connect to the company’s network from various home devices and maybe even bring their own laptops to work. If all those devices aren’t protected, the companies that rely on global teams have a major vulnerability that can be exploited for hacking.

    Endpoint security is the term that refers to a solution that is designed for protecting data, preventing threats, and identifying advanced zero-day attacks (which are difficult to detect because hackers rely on previously unknown flaws).

    On December 16, the DevOp platform known as CircleCI was the victim of a zero-day attack.

    The company was notified of the suspicious activity on December 29 and started investigating the issue and securing the platform.

    They identified the exact scope and what kind of hacking took place on January 4. Also, they notified all customers of the security incident and advised them to rotate all secrets within CircleCI and review internal logs.

    The sophisticated hackers exploited a device one engineer has been using for work. They managed to infect it with malware that bypassed the antivirus software. Once they gained unauthorized access, they could impersonate the employee.

    LastPass: How You Handle Data Breaches Matters

    Data breaches affect both the business that has been breached and the individual whose information has been leaked.

    They can occur after a successful phishing incident in which another person revealed their credentials, unauthorized access after exploiting a vulnerability, and other methods.

    On December 22, LastPass, a well-known password manager, made an update on the data breach they experienced on November 30. They revealed that the incident had worse repercussions than they initially claimed.

    Namely, the threat actor managed to access password vaults as well as user data.

    The company hasn’t provided their customers with more information for a week after that update and security experts have suggested that users switch to something else.

    The lack of transparency has caused many users to change to another service.

    Key Takeaways and Lessons Learned

    Let’s start with Royal Mail. This ransomware shows how the cyber attack on critical infrastructure affects businesses and prompts consumers to question whether they could have been better protected against possible hacking threats.

    It takes a lot of time for companies to stand back on their feet following an incident. During that time, they lose money on the remediation and fall behind on their tasks.

    Regardless of how prepared your company might be for hacking activity, zero-day attacks can still wreak havoc on systems.

    Cyber incidents are often interlinked – as is evident from The Guardian hacking where the hacker was able to deploy ransomware following a successful phishing attack.

    At the end of the day, there is no ideal security measure because security incidents can occur even within well-protected and managed infrastructures.

    Once the attack or data breach occurs, it’s important how the news is communicated to those that are affected by the incident – that is, to be transparent and not leave worried users in the dark.

  • Hackers Stole LastPass Encryption Key

    Hackers Stole LastPass Encryption Key

    The news from LastPass keeps getting worse, with parent company GoTo admitting an encryption key was stolen in its latest breach.

    LastPass suffered a data breach in August and has been slowly releasing more details regarding the severity of the breach. What began as theft of source code graduated to theft of user password vaults. Even then, the company reassured users that their passwords were secure, since the vaults were still protected by encryption.

    Unfortunately, the company has revised its information — yet again — and acknowledged that an encryption key for at least some downloaded data was also stolen. The breach also impacts other GoTo products.

    “We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups,” writes GoTo CEO Paddy Srinivasan. “The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”

    Needless to say, LastPass users should immediately change all of their passwords and closely monitor their accounts and services for unauthorized access.

    It is extremely disturbing that the LastPass breach continues to get worse. Despite the situation, the company has still not disclosed important information regarding the incident, such as exactly how many customers have been impacted.

    Given how LastPass has handled this breach, it is increasingly hard to justify using the service or trusting that it can protect its customers.

  • OpenSnitch Application Firewall Coming to Debian

    OpenSnitch Application Firewall Coming to Debian

    Popular application firewall OpenSnitch is coming to Debian, one of the oldest and most popular Linux distributions (distros).

    OpenSnitch is an open source port of the popular macOS app Little Snitch. Little Snitch, and its open source counterpart, inform the user whenever an app tries to access the internet. It’s a useful feature to crack down on apps that try to ‘phone home.’

    Developer Petter Reinholdtsen posted a blog describing his efforts to work with the OpenSnitch developers to bring the app to Debian:

    It did not took long to find the OpenSnitch package, which has been in development since 2017, and now is in version 1.5.0. It has had a request for Debian packaging since 2018, but no-one completed the job so far. Just for fun, I decided to see if I could help, and I was very happy to discover that upstream want a Debian package too.

    After struggling a bit with getting the program to run, figuring out building Go programs (and a little failed detour to look at eBPF builds too – help needed), I am very happy to report that I am sponsoring upstream to maintain the package in Debian, and it has since this morning been waiting in NEW for the ftpmasters to have a look. Perhaps it can get into the archive in time for the Bookworm release?

    Given the well-deserved praise Little Snitch and OpenSnitch have earned over the years, its nice to see a version coming to Debian. Since Ubuntu is based on Debian, it will likely make its way there as well.

  • T-Mobile Hit By Yet Another Data Breach, 37 Million Customers Impacted

    T-Mobile Hit By Yet Another Data Breach, 37 Million Customers Impacted

    T-Mobile has once again been hit by a massive data breach, this time impacting some 37 million customers’ data.

    T-Mobile has written a blog post outlining the details of its latest breach:

    We are currently in the process of informing impacted customers that after a thorough investigation we have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts.

    The company says it shut down the breach within 24 hours of discovering it, and that customers’ most sensitive information was protected.

    No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised. Some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained, including name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features.

    While the scope of this data breach may have been fairly limited, it’s still disconcerting that the company has experienced two such breaches in as many years, with the last one costing the company $350 million to settle.

    Hopefully T-Mobile will be able to shore up its security and prevent further incidents.

  • Yum Brands Hit by Ransomware, Hundreds of Restaurants Close

    Yum Brands Hit by Ransomware, Hundreds of Restaurants Close

    Yum Brands, the parent of KFC, Pizza Hut, and Taco Bell, was hit by a ransomware attack, leading to hundreds of locations closing.

    Yum Brands acknowledged the attack in a statement Wednesday, saying its IT systems were compromised.

    On January 18, 2023, Yum! Brands, Inc. announced a ransomware attack that impacted certain information technology systems. Promptly upon detection of the incident, the Company initiated response protocols, including deploying containment measures such as taking certain systems offline and implementing enhanced monitoring technology. The Company also initiated an investigation, engaged the services of industry-leading cybersecurity and forensics professionals, and notified Federal law enforcement.

    The company says the overall impact was relatively limited. Most important, Yum Brands says there is no evidence any customer data was stolen.

    Less than 300 restaurants in the United Kingdom were closed for one day, but all stores are now operational. The Company is actively engaged in fully restoring affected systems, which is expected to be largely complete in the coming days. Although data was taken from the Company’s network and an investigation is ongoing, at this stage, there is no evidence that customer databases were stolen. While this incident caused temporary disruption, the Company is aware of no other restaurant disruptions and does not expect this event to have a material adverse impact on its business, operations or financial results.

  • Mailchimp Suffers Second Breach In Six Months

    Mailchimp Suffers Second Breach In Six Months

    Mailchimp has suffered yet another security incident that has exposed user data, the second such incident in six months.

    Mailchimp suffered a breach in April 2022, one that exposed the data of more than 100 customers. The company has now revealed in a blog post that it has suffered another breach:

    On January 11, the Mailchimp Security team identified an unauthorized actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration. The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.

    Once again, the breach compromised the data of more than 100 customers:

    Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts. There is no evidence that this compromise affected Intuit systems or customer data beyond these Mailchimp accounts.

    It’s unclear why Mailchimp keeps having these breaches, but it certainly doesn’t instill much confidence in the company or its owner, Intuit.

  • The Guardian Suffers Ransomware Attack, Staff’s Data Accessed

    The Guardian Suffers Ransomware Attack, Staff’s Data Accessed

    The Guardian has suffered a major ransomware attack and has revealed that some staff’s personal data was accessed.

    The Guardian broke the news in late December that it suffered an IT incident it believed was a ransomware attack. Yesterday morning the outlet confirmed that it was indeed a ransomware attack, one that compromised the personal data of its UK-based employees.

    The outlet described the attack as a “highly sophisticated cyber-attack involving unauthorised third-party access to parts of our network,” and likely the result of a phishing attempt.

    There was a bit of good news, however, as there appears to be no evidence that readers’ data was accessed.

    The Guardian said it had no reason to believe the personal data of readers and subscribers had been accessed. It is not believed that the personal data of Guardian US and Guardian Australia staff has been accessed either.

    In an email to staff, The Guardian also said there was no evidence the compromised data had made its way online.

    “We believe this was a criminal ransomware attack, and not the specific targeting of the Guardian as a media organisation,” said chief executive Anna Bateson and editor-in-chief Katharine Viner.

    “These attacks have become more frequent and sophisticated in the past three years, against organisations of all sizes, and kinds, in all countries.”

    They added: “We have seen no evidence that any data has been exposed online thus far and we continue to monitor this very closely.”

  • US Supreme Court Allows WhatsApp Case Against Pegasus’ NSO Group

    US Supreme Court Allows WhatsApp Case Against Pegasus’ NSO Group

    The US Supreme Court has shot down the NSO Group’s attempt to gain immunity from lawsuits over its Pegasus spyware.

    NSO Group maintained that it only sold the Pegasus software to law enforcement and intelligence agencies, but was revealed to have sold it to authoritarian regimes as well. As a result, Pegasus spyware was used to hack phones and spy on journalists, human rights activists, and diplomats.

    NSO Group has since faced a plethora of lawsuits and has tried to avoid them by arguing it should receive immunity since it was working on behalf of foreign governments.

    According to Reuters, the Supreme Court has shot down that argument, upholding a decision of a lower court that NSO Group does not qualify for immunity. The Biden administration had urged the court to arrive at this decision, pointing out that the State Department had never given a private company sovereign immunity.

    As a result of the decision, WhatsApp’s case against NSO Group is free to proceed. WIth the precedent established, other cases will likely be free to proceed as well.

    WhatsApp parent Meta welcomed the decision.

    “NSO’s spyware has enabled cyberattacks targeting human rights activists, journalists and government officials,” Meta said. “We firmly believe that their operations violate U.S. law and they must be held to account for their unlawful operations.”

  • Microsoft Unveils Microsoft Security Experts Managed Services

    Microsoft Unveils Microsoft Security Experts Managed Services

    Microsoft is moving further into the realm of cybersecurity, unveiling new managed services to help its customers tackle security challenges.

    Microsoft is already one of the leading companies fighting cybersecurity threats. In fact, Microsoft Security blocked 9.6 billion malware attacks, as well as more than 35.7 billion phishing and malicious emails in 2021 alone. The company is now using that expertise to launch its Microsoft Security Experts managed services to help its customers.

    The company has unveiled three new services. Microsoft Defender Experts for Hunting will help customers “proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.”

    Microsoft Defender Experts for XDR is a “managed extended detection and response (XDR) service” for companies that need to expand their own internal security operations.

    Microsoft Security Services for Enterprise is a comprehensive solution for large enterprises that want their entire security service managed by experts.

    Microsoft is also committed to working with “an ecosystem of partners and technologies” in an effort to provide the best possible service.

    “Microsoft is uniquely positioned to help our customers and their partners meet today’s security challenges,” writes Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity, and Management. “We secure devices, identities, apps, and clouds—the fundamental fabric of our customers’ lives—with the full scale of our comprehensive multicloud, multiplatform solutions. Plus, we understand today’s security challenges because we live this fight ourselves every single day.”

  • Slack’s GitHub Repositories Were Stolen

    Slack’s GitHub Repositories Were Stolen

    Slack has revealed that some of its private code repositories were stolen, although the company says no customer data was impacted.

    Slack is one of the most popular messaging platforms. Like many companies, it relies on GitHub repositories to help manage its code base. GitHub notified the company of suspicious activity on an external repository, leading to the discovery of the breach.

    The company outlined the details in a blog post:

    On 29 December 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on 27 December. No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.

    The company reassures users that the issue is not an inherent vulnerability within Slack, and that no other information was accessed:

    When notified of the incident, we immediately invalidated the stolen tokens and began investigating potential impact to our customers. Our current findings show that the threat actor did not access other areas of Slack’s environment, including the production environment, and they did not access other Slack resources or customer data. There was no impact to our code or services, and we have also rotated all relevant credentials as a precaution.

    Based on currently available information, the unauthorised access did not result from a vulnerability inherent to Slack. We will continue to investigate and monitor for further exposure.

    Hopefully Slack’s initial investigation is correct and no further breaches are discovered.

  • LastPass: Hackers Stole Encrypted User Password Vaults

    LastPass: Hackers Stole Encrypted User Password Vaults

    LastPass has issued a security advisory, notifying customers that the data breach it suffered in August was far worse than thought.

    LastPass is a popular password management application. In August, the company informed customers that it had suffered a data breach, one in which “portions of source code and some proprietary LastPass technical information” was stolen. At the time, the company assured customers that no passwords were stolen or compromised.

    The company has provided an update on the situation, informing customers that the data stolen in August was used to compromise an employee’s credentials and gain access to the company’s cloud-based storage service. As a result of this secondary breach, the hacker was able to download a backup copy of customer data vaults.

    The company described the issue in its advisory:

    To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

    The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

    Despite the severity of the breach, LastPass says customer passwords are still secure…at least for now. The company says encrypted fields are protected using 256-bit AES encryption, with the encryption key based on the user’s master password. Between the strong encryption and the fact that LastPass does not have access to a user’s password, theoretically, users’ password vaults should still be secure.

    Despite the assurance, LastPass says all users should immediately change their master passwords to prevent any risk of the hackers using brute force attacks to try to access the vaults or use some of the unencrypted data in phishing and scam attempts.

    The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. We routinely test the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls.

    The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.

    LastPass’ revelation is a disturbing one, given the popularity of the application and the important role it plays in the cybersecurity of countless individuals. One can only hope the company will take drastic steps to ensure such a breach doesn’t happen again.

  • Okta’s GitHub Repo Hacked, Source Code Stolen

    Okta’s GitHub Repo Hacked, Source Code Stolen

    Okta’s GitHub repo was reportedly hacked and the company’s source code stolen, raising questions about a critical cybersecurity platform.

    Okta is one of the world’s leading authentication platforms, offering single sign-on and Identity and Access Management (IAM) solutions. BleepingComputer saw a ‘confidential’ email regarding a reported breach.

    GitHub evidently notified Okta of suspicious activity on their account. Investigation revealed that bad actors evidently accessed the companies source code and copied it.

    “Upon investigation, we have concluded that such access was used to copy Okta code repositories,” writes David Bradbury, the company’s Chief Security Officer (CSO) wrote in an email being sent to the company’s security contacts.

    Despite the breach, Okta says there is little reason for concern. The company says “HIPAA, FedRAMP or DoD customers” were not impacted since the company’s security “does not rely on the confidentiality of its source code as a means to secure its services.”

  • Cyberattack Takes Out FuboTV During World Cup Semifinals

    Cyberattack Takes Out FuboTV During World Cup Semifinals

    Many FuboTV customers experienced issues watching the World Cup semifinals, the result of a “criminal cyber attack,” according to the company.

    FuboTV is a popular TV streaming service with a strong focus on sports. The company got its start as a soccer-focused streaming service, before branching out into other sports and content. Unfortunately, during the match between France and Morocco, many customers were unable to watch the event.

    The company says the issue was not a result of bandwidth issues, but a “criminal cyber attack.”

    “We have reported the incident to law enforcement and have engaged Mandiant, an industry-leading incident response firm, to assist with our continuing investigation and response,” the company writes in a statement. “Our primary focus currently is on ensuring that the incident is fully contained and that there is no threat of further disruption for any of our customers.

    “Our investigation is at an early stage, but we are committed to transparency regarding this incident. We will provide an update at an appropriate time when we have more information to share.”

  • Apple Adding End-to-End Encryption to iCloud, FBI Predictably Objects

    Apple Adding End-to-End Encryption to iCloud, FBI Predictably Objects

    Apple is finally adding a major feature to iCloud, upgrading its security to include end-to-end encryption (E2EE).

    iCloud has always included strong encryption, labeled “Data Protection,” but it did not offer E2EE, meaning Apple ultimately held the key to unlocking users’ data. Apple reportedly investigated the possibility of adding E2EE years ago, but abandoned plans in response to FBI objections.

    The company has now announced plans to roll out full E2EE for iCloud under its “Advanced Data Protection.”

    “Apple makes the most secure mobile devices on the market. And now, we are building on that powerful foundation,” said Ivan Krstić, Apple’s head of Security Engineering and Architecture. “Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.”

    Advanced Data Protection is already available to Apple Beta Software Program members and will be available to all users in the US by year’s end. The feature will make its way to worldwide customers in early 2023.

    Not surprisingly, the FBI is renewing its objection, saying it was “deeply concerned with the threat end-to-end and user-only-access encryption pose.”

    “This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism,” the bureau said in an emailed statement to The Washington Post. “In this age of cybersecurity and demands for ‘security by design,’ the FBI and law enforcement partners need ‘lawful access by design.’”

    Despite the FBI’s concerns, many other organizations are praising Apple.

    “We applaud Apple for listening to experts, child advocates, and users who want to protect their most sensitive data,” writes the Electronic Frontier Foundation. “Encryption is one of the most important tools we have for maintaining privacy and security online. That’s why we included the demand that Apple let users encrypt iCloud backups in the Fix It Already campaign that we launched in 2019.”

  • Apple Abandons Plans to Scan Devices for CSAM

    Apple Abandons Plans to Scan Devices for CSAM

    Apple has completely abandoned one of its most controversial initiatives that would have involved scanning all devices for CSAM.

    Tech companies are always looking for ways to identify and root out Child Sexual Abuse Material (CSAM) from their platforms. Google, Microsoft, Meta, and others routinely scan content on their cloud platforms against a centralized database of CSAM content maintained by the National Center for Missing & Exploited Children (NCMEC).

    Apple’s proposed solution was much different. Apple created a two-step process that involved scanning a consumer’s device. Apple planned to install a database of hashes representing the files in NCMEC’s database on each and every iPhone, iPad, Mac, and Apple TV.

    To be clear, Apple was not going to place CSAM material on devices, only mathematical hashes that represent them. Any device with iCloud enabled would then run the same mathematical hash on local photos and videos and compare them to the database of NCMEC hashes. Once a threshold of matches was reached, the case would undergo human review before being forwarded to the authorities if the matches were accurate. Until that happened, all results would remain completely anonymous.

    Read More: The Biggest Beneficiary of Apple’s Privacy Crackdown: Apple

    After pushback from the industry and security and privacy experts, Apple originally delayed rollout and has now abandoned its plans in favor of other, less dangerous methods.

    “After extensive consultation with experts to gather feedback on child protection initiatives we proposed last year, we are deepening our investment in the Communication Safety feature that we first made available in December 2021,” the company told WIRED in a statement. “We have further decided to not move forward with our previously proposed CSAM detection tool for iCloud Photos. Children can be protected without companies combing through personal data, and we will continue working with governments, child advocates, and other companies to help protect young people, preserve their right to privacy, and make the internet a safer place for children and for us all.”

    The company will instead focus on its opt-in Communication Safety features that parents can activate to flag inappropriate texts, pictures, and videos sent to their children via iMessage.

    “Potential child exploitation can be interrupted before it happens by providing opt-in tools for parents to help protect their children from unsafe communications,” the company continued in its statement. “Apple is dedicated to developing innovative privacy-preserving solutions to combat Child Sexual Abuse Material and protect children, while addressing the unique privacy needs of personal communications and data storage.”

    See Also: Apple’s Privacy Hypocrisy: The $15 Billion Google Deal

    The new approach is a far more balanced one to the responsibilities Apple is trying to wield while preserving individual privacy. While Apple’s original scanning approach seemed promising in terms of privacy, it also posed a host of problems. Security and privacy experts immediately pointed out the danger of Apple being forced by governments to use its matching algorithm for other purposes, such as political, religious, or human rights surveillance. There are also documented instances of non-CSAM images being placed in the NCMEC database, opening the possibility of false positives.

    Not surprisingly, the EU recently proposed new rules that sound eerily similar to Apple’s method, while simultaneously acknowledging “the detection process would be the most intrusive one for users.”

    Interestingly, Princeton researchers developed a similar system shortly before Apple and ultimately tabled it, and wrote a paper on why it should never be used.

    “Our system could be easily repurposed for surveillance and censorship,” the researchers wrote. “The design wasn’t restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.”

    Overall, Apple’s announcement is a welcome one. To be fair, however, more time will need to pass to ensure Apple lives up to its promise and has not been forced to implement its scanning technology covertly.