WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • Buying Fuel May Result In Stolen Credit Cards, Warns Visa

    Buying Fuel May Result In Stolen Credit Cards, Warns Visa

    High fuel prices aren’t the only thing travelers need to worry about at the pump. Visa has issued a warning that anyone who has pumped gas may have had their credit card information stolen.

    Visa has been tracking three different types of attacks “targeting merchant point-of-sale (POS) systems that were likely carried out by sophisticated cybercrime groups. Two of the attacks targeted the POS systems of North American fuel dispenser merchants.” At least two of the attacks also appear to have been carried out by a group known as FIN8.

    The cyber criminals gained access to the target’s network and then installed malware that specifically harvested credit card information. In at least one of the attacks, the “threat actors compromised the merchant via a phishing email sent to an employee. The email contained a malicious link that, when clicked, installed a Remote Access Trojan (RAT) on the merchant network and granted the threat actors network access. The actors then conducted reconnaissance of the corporate network, and obtained and utilized credentials to move laterally into the POS environment.”

    In the second type of attack, magnetic swipe cards were targeted, although chip-based cards were not.

    Ultimately, Visa concludes by expressing concern that cyber criminals are increasingly targeting brick-and-mortar businesses, and fuel stations in particular, with relatively sophisticated attacks. These attacks are much more involved than simply skimming credit card information via pay-at-the-pump terminals. Visa recommends fuel stations moved to chip readers as soon as possible to increase security.

  • The Future Of Security Is Biometric

    The Future Of Security Is Biometric

    Having a password on our devices to keep our data away from prying eyes has been a part of personal tech for a very long time. But the age of passwords and pins is shifting to biometric security – that is tech that can recognize your face, voice, DNA, fingerprint, and other physical features that make you, you. Biometrics in everyday tech has really been around since Apple first showed off Touch ID in 2013, and since then, the global market for mobile biometrics has grown to over $14 billion. Nowadays many aspects of our lives can be controlled by biometrics. Nearly half of people have authenticated a payment with biometrics, most won’t use banking apps that lack biometric authentication. Over ¾ use biometrics to unlock their mobile devices, whether they be phones, tablets, or even tablets. People use biometrics as compared to traditional passwords and pins because they feel it is easier to use and more secure. 

    But biometric security goes beyond just physical identifiers, though physical identifiers are a big part of biometrics. Physical identifiers, such as fingerprints, facial features, retinal patterns, and vocal and speech patterns can all be spoofed relatively easily, but biometrics go beyond that. Biometrics can even identify who you are by your device usage patterns, the angle in which you hold your phone, how often you check your social media accounts, and even finger movements and gestures. 

    Hollywood makes hacking biometrics look easy. In Diamonds Are Forever, Sean Connery uses a fake fingerprint to fool a scanner. In Sneakers, Robert Redford hacks voice recognition with a tape of the passphrase and in Gattaca, Ethan Hawke bypasses a DNA scan with a drop of blood. With how easy biometrics seem to be able to crack, how does Hollywood stack up to reality?

    Before we get to how to crack biometrics, we first have to understand what makes biometrics hard to hack. Biometrics are much more time consuming to hack as compared to hacking regular traditional passwords and pins. Biometrics are also much more difficult to hack without being noticed, and creating a fake requires a huge amount of user data. Finally, biometric tech has yet to be standardized, making each device requires its own special approach to hack it. With all of these added security benefits in biometrics, how are they still being hacked?

    Fakes to fool biometrics have been done, but some are easier to fool than others. BKAV, a Vietnamese cybersecurity firm, cracked Apple’s Face ID using a mask made with a 3D printer, silicone, and paper tape. Some Android devices can be tricked with just a photo – including devices from some of the largest Android manufacturers such as Sony, Huawei, and Samsung. The new Samsung S10 features a new ultrasonic fingerprint sensor which is meant to be harder to hack, but the sensor is easily fooled by a 3D printed fingerprint placed on top.

    Find out the holes in biometric security and how they are being filled by manufacturers and software designers here.

  • Senators Express Alarm Over FBI Secretly Demanding Data From Credit Agencies

    Senators Express Alarm Over FBI Secretly Demanding Data From Credit Agencies

    Documents have come to light exposing the FBI’s practice of secretly demanding information about Americans from Equifax, Experian and TransUnion.

    According to a report by TechCrunch, the FBI has been using “legal powers — known as national security letters — to compel credit giants to turn over non-content information, such as records of purchases and locations, that the agency deems necessary in national security investigations. But these letters have no judicial oversight and are typically filed with a gag order, preventing the recipient from disclosing the demand to anyone else — including the target of the letter.”

    Tech companies have been dealing with national security letters for some time but, following the Edward Snowden revelations, the laws were changed in 2015 to give companies the right to petition for release from the gag orders. As a result, tech companies routinely publish transparency reports, disclosing how many times the government has requested their assistance.

    In the wake of these documents becoming public, at least three senators have expressed concern. Republican senator Rand Paul and Democratic senators Ron Wyden and Elizabeth Warren have written letters to the three credit agencies, questioning why the agencies have never disclosed the FBI’s requests.

    “Because your company holds so much potentially sensitive data on so many Americans and collects this information without obtaining consent from these individuals, you have a responsibility to be transparent about how you handle that data,” the letters said. “Unfortunately, your company has not provided information to policymakers or the public about the type or the number of disclosures that you have made to the FBI.”

    Senator Wyden, in particular, has been a vocal proponent of privacy protections and an equally vocal critic of questionable and illegal spying on American citizens. With these new revelations, it’s a safe bet there will be more inquiries and possible regulation to govern how the financial and credit information of Americans can be accessed and used.

  • Homeland Security’s Top Cybersecurity Official Moving to Google

    Homeland Security’s Top Cybersecurity Official Moving to Google

    CyberScoop is reporting that Jeanette Manfra, the Department of Homeland Security’s assistant director for cybersecurity, will be joining Google.

    Google has been trying to gain traction acquiring federal cybersecurity contracts. Manfra will offer a big boost in that area, as she will take on the role of “global director of security and compliance as part of a new security team at Google Cloud,” according to Google’s statement to CyberScoop.

    “She will lend her considerable experience in cybersecurity toward helping our customers, particularly those in regulated industries, build and maintain the highest levels of security and trust into their technical infrastructure and services,” a Google Cloud spokesperson went on to say.

    Manfra is well respected in the cybersecurity community and, as CyberScoop points out, has been praised by politicians for her role in election security. Her name alone will lend gravitas to Google’s efforts to make headway in the field.

    She will stay on at her post at DHS’s Cybersecurity and Infrastructure Security Agency through the end of December, before beginning her new role with Google in January.

  • Ring Users Should Update Their Passwords In the Wake of Multiple Hacks

    Ring Users Should Update Their Passwords In the Wake of Multiple Hacks

    In the wake of multiple hacking incidents, Ring is recommending users change their passwords, while at the same time reassuring users the company has not been compromised.

    In recent days, there have been multiple reports of Ring devices being hacked, with some terrifying results. In one case, a Ring device in an 8-year-old girl’s room was hacked. A man’s voice can be heard talking to the girl, claiming to be her friend. There have been similar incidents in Georgia, Florida and Texas.

    Following the reports, Ring investigated the incidents and found no evidence of unauthorized intrusions into their network or systems. According to the company, “malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log into some Ring accounts. Unfortunately, when people reuse the same username and password on multiple services, it’s possible for bad actors to gain access to many accounts.”

    The company goes on to recommend some common sense suggestions, including activating two-factor authentication; using strong passwords consisting of upper and lower-case letters, numbers and symbols; adding shared users rather than sharing credentials; regularly updating passwords and not using the same passwords for multiple services and apps.

    This latest issue is another example of how an increasingly interconnected world requires individuals to learn and practice cybersecurity best practices in order to keep themselves and their families safe.

  • Incognito Mode Comes to Google Maps For iOS

    Incognito Mode Comes to Google Maps For iOS

    Google has brought Incognito Mode to Google Maps for iOS, according to an announcement on the company’s website.

    According to the blog post, when Google Maps is in Incognito Mode, “the places you search for or navigate to won’t be saved to your Google Account and you won’t see personalized features within Maps, like restaurant recommendations based on dining spots you’ve been to previously. Using Incognito mode on your phone will not update your Location History, so the places you go won’t be saved to your Timeline.”

    Google has been working to address concerns about how it handles users’ private data, unveiling new ways for customers to interact with their data and manage what is stored. Incognito Mode is another step in the right direction, allowing individuals to keep their travels private.

  • Facebook Will Not Give Authorities a Backdoor to Access Encrypted Messages

    Facebook Will Not Give Authorities a Backdoor to Access Encrypted Messages

    Two months ago we reported on an open letter by Attorney General William Barr and his counterparts in Australia and the United Kingdom, calling on Facebook to create encryption backdoors in its messaging apps. This was followed by the FBI urging Interpol to condemn the use of strong encryption.

    Facebook has officially responded to the Attorney General’s request, via an open letter of their own. In the letter, Will Cathcart, Head of WhatsApp, and Stan Chudnovsky, Head of Messenger, highlight the inherent risks of making encryption weaker, or creating backdoors for authorities to access.

    “We believe that people have a right to expect this level of security, wherever they live. As a company that supports 2.7 billion users around the world, it is our responsibility to use the very best technology available to protect their privacy. Encrypted messaging is the leading form of online communication and the vast majority of the billions of online messages that are sent daily, including on WhatsApp, iMessage, and Signal, are already protected with end-to-end encryption.

    “Cybersecurity experts have repeatedly proven that when you weaken any part of an encrypted system, you weaken it for everyone, everywhere. The ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm. It is simply impossible to create such a backdoor for one purpose and not expect others to try and open it. People’s private

    “And we are not alone. In response to your open letter asking that Facebook break encryption, over 100 organizations, including the Center for Democracy and Technology and Privacy International, shared their strong views on why creating backdoors jeopardize people’s safety. Cryptography Professor Bruce Schneier said earlier this year: ‘You have to make a choice. Either everyone gets to spy, or no one gets to spy. You can’t have ‘We get to spy, you don’t.’ That’s not the way the tech works.’ And Amnesty International commented: ‘There is no middle ground: if law enforcement is allowed to circumvent encryption, then anybody can.’”

    The two executives argued that law enforcement already has viable ways of getting the information they need in cases that demand it.

    “That doesn’t mean that we cannot help law enforcement. We can and we do, as long as it is consistent with the law and does not undermine the safety of our users…. We deeply respect and support the work these officials do to keep us safe and we want to assure you that we will continue to respond to valid legal requests for the information we have available. We will also continue to prioritize emergencies, such as terrorism and child safety, and proactively refer to law enforcement matters involving credible threats.”

    Our initial report on the Attorney General’s open letter highlighted the dangers of weakening encryption or creating backdoors. As Amnesty International said, “there is no middle ground.” Encryption is about basic math. It’s no more possible to have strong encryption with backdoors than it is to break the laws of physics. Hopefully, Facebook’s questionable history with privacy and security will not cloud the very valid argument they are making about the importance of encryption.

  • New Chrome Feature Will Alert You If Your Password Is Stolen

    New Chrome Feature Will Alert You If Your Password Is Stolen

    In a blog post today, Google announced the addition of a significant security feature to Chrome, one that will alert users if their password has been stolen.

    With new data breaches occurring and being reported on a near-daily basis, people’s usernames and passwords are increasingly showing up for sale on the dark web. With many people reusing passwords across websites, a single compromised website can leave individuals vulnerable across a myriad of sites and services.

    First introduced earlier this year as an extension named Password Checkup, the feature has been rolled into Chrome’s settings as part of its Safe Browsing features.

    “When you type your credentials into a website, Chrome will now warn you if your username and password have been compromised in a data breach on some site or app. It will suggest that you change them everywhere they were used.”

    Google’s post also discussed improvements to Safe Browsing’s anti-phishing features.

    “Google’s Safe Browsing maintains an ever-growing list of unsafe sites on the web and shares this information with webmasters, or other browsers, to make the web more secure. The list refreshes every 30 minutes, protecting 4 billion devices every day against all kinds of security threats, including phishing.

    “However, some phishing sites slip through that 30-minute window, either by quickly switching domains or by hiding from our crawlers. Chrome now offers real-time phishing protections on desktop, which warn you when visiting malicious sites in 30 percent more cases. Initially we will roll out this protection to everyone with the “Make searches and browsing better” setting enabled in Chrome.”

    These improvements are welcome additions to one of the most popular browsers in use and Google is to be commended for making Password Checkup an included feature, where more people will benefit from it.

  • DOJ Planning to Review Google-Fitbit Deal Over Privacy Concerns

    DOJ Planning to Review Google-Fitbit Deal Over Privacy Concerns

    According to the New York Post, the Department of Justice (DOJ) is planning to review the Google-Fitbit deal over concerns about consumer privacy.

    We reported last month that Google had agreed to acquire Fitbit for $2.1 billion. As part of the announcement, Google did its best to reassure current users that it would respect their privacy and that their personal data would not be sold to third parties or be used for advertising. A couple of weeks later, it came to light that Facebook had also been interested in the wearable company, losing out in a bidding war against Google. At the end of that article, we made the following observation:

    “While some users have understandably been concerned about privacy in the wake of the announcement Google was purchasing Fitbit, it’s probably a safe bet that far more users would be concerned if Facebook was the buyer.”

    Evidently, the fact that Google is buying Fitbit instead of Facebook is not enough of a consolation prize to prevent regulatory scrutiny. In fact, according to the New York Post, both the DOJ and the Federal Communications Commission (FCC) wanted to review the deal, with one source describing it “as a real ‘arm wrestle’ between the agencies.”

    Both agencies are concerned with the privacy implications, given the amount of data Google already has about people’s lives. They fear that allowing Google to purchase Fitbit will give them too much data, especially sensitive health information. Google is already under scrutiny for Project Nightingale, Google’s partnership with the Ascension healthcare group to collect data on millions of patients.

    While the FTC has usually investigated Google’s past deals, the DOJ won out this time due to the fact they are “presently investigating Google for broader anti-competitive issues.”

    Although it’s too early to know how the DOJ will rule, the Public Citizen and the Center for Digital Democracy had previously urged the FTC to block the merger. With increased scrutiny on Google’s handling of customer data, it may be an uphill battle to close the Fitbit deal.

  • Apple Threatens to Leave Russia in 2020, Citing Russian Software Demands

    Apple Threatens to Leave Russia in 2020, Citing Russian Software Demands

    The International Business Times (IBT) is reporting that Apple may leave the Russian market next year in response to a new law requiring Russian software alternatives be installed on electronic devices.

    The new law, which Putin signed on December 5, goes into effect on July 1, 2020. The law requires all computers, smartphones and smart TVs to have Russian applications pre-installed. As Reuters reports, electronic companies are pushing back on the law, although few as much as Apple.

    Apple has said the Russian law would require the equivalent of jailbreaking its software, something it has refused to do in the past. While the law’s proposed purpose is to allow local companies to better compete with the software that comes loaded on devices, critics believe any software the Russian government would insist be installed could, and likely would, be used to spy on people.

    According to IBT, “an unnamed Apple source allegedly informed Kommersant Business Daily that a mandate to include third-party applications to Apple’s ecosystem would be synonymous with jailbreaking. The Apple source also said that it might pose a security threat, and Apple would not tolerate such kind of risk. The Russian government will come up with a list of software and apps which tech firms are required to pre-install, as well as the list of devices covered by this new law, reports The Moscow Times.”

    For Apple, the stakes are far greater that just the Russian market. The company has made a name for itself as a staunch protector of privacy, going head-to-head with the FBI to fight attempts to force it to create backdoors in its software. If it gives in to Russia, it will set a dangerous precedent that other governments will no doubt seize upon.

  • New Google Chrome Feature May Drive Users to Firefox

    New Google Chrome Feature May Drive Users to Firefox

    The Register is reporting on a new feature in an upcoming version of Google Chrome that has privacy-conscious users worried. A recent API called getInstalledRelatedApps may allow websites to determine what apps are installed on a user’s device.

    At first glance, the API seems to have an admirable purpose. If users have both web and native applications installed, they could be bombarded by duplicate sets of notifications. If a website can determine that its native app is installed, it would then prioritize notifications for the native app. Unfortunately, the API doesn’t really seem to be aimed at improving the experience—not for the user at least.

    In response to a question from Opera developer Daniel Bratell, expressing concern about how this API would help users, Google engineer Rayan Kanso wrote:

    “Although this isn’t an API that would directly benefit users, it indirectly benefits them through improved web experiences,” Kanso wrote. “We received very positive OT [off-topic] feedback from partners using this API, and the alternative is them using hacks to figure whether their native app is installed.”

    In other words, this API is more about making it easier for web and app developers’ marketing needs than it is truly making users’ lives easier.

    The privacy implications are clear: If websites can determine what apps are installed on a person’s phone or tablet, it can provide a relatively complete picture, otherwise known as a fingerprint, about that person’s habits.

    As The Register points out, Peter Snyder, a privacy researcher at browser maker Brave, voiced his own concerns:

    “I don’t follow the claim about non-fingerprint-ability. If I’m a company with a large number of apps (e.g. google), with 16-32 apps registered in app stores, the subset of which apps any user has installed is likely to be a very strong semi-identifier, no, and so be extremely risky for the user / valuable for the fingerprinter, no?

    “Apologies if I’m misunderstanding, but this seems like a very clear privacy risk.

    Put differently, if this isn’t a privacy risk, whats the rational behind disallowing this in private browsing mode?”

    With browsers like Firefox and Safari placing an emphasis on privacy and security, it’s a safe bet this is yet another move that will drive users away from Chrome.

  • Apple Explains iPhone 11 Frequent Location Checking

    Apple Explains iPhone 11 Frequent Location Checking

    Apple has finally explained behavior that lead some to believe new iPhones or iOS 13.x had a privacy bug.

    Security researcher Brian Krebs discovered that the iPhone 11 Pro “intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data.” He originally contacted Apple on November 13 to report the problem.

    Earlier this week, Apple responded to Krebs by simply saying: “It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings.”

    Needless to say, this vague response is not what people want to hear from a company that has planted its flag on respecting user privacy. Fortunately, Apple has since issued a statement to KrebsOnSecurity, along other venues, providing more information.

    “Ultra Wideband technology is an industry standard technology and is subject to international regulatory requirements that require it to be turned off in certain locations. iOS uses Location Services to help determine if iPhone is in these prohibited locations in order to disable Ultra Wideband and comply with regulations. The management of Ultrawide Band compliance and its use of location data is done entirely on the device and Apple is not collecting user location data.”

    Ultra Wideband is used by AirDrop to enable users to share files from one iPhone to another. The technology gives iPhones “spatial awareness.” This is what makes it possible for users to “share a file with someone using AirDrop simply by pointing at another user’s iPhone.”

    While Apple does plan on allowing users to turn the feature off in the future, it is unknown when this will happen, especially since it involves working with government regulation.

    In any event it’s reassuring to know there is no breach of privacy in play. However, Apple could have saved itself—and its customers—a lot of headache by being more transparent in its initial response or, better yet, by documenting the feature before it became a concern.

  • Huawei Moves Research to Canada, Urges Suppliers to Break U.S. Law

    Huawei Moves Research to Canada, Urges Suppliers to Break U.S. Law

    The battle between Huawei and the U.S. shows no signs of abating. In fact, Huawei is making moves that will likely ratchet up the war even further.

    Huawei’s CEO, Ren Zhengfei, told the Toronto Globe and Mail in a video interview that Huawei is moving its research facilities from the U.S. to Canada. Zhengfei acknowledged the company does not have much of a presence in the U.S., but does not want to give up on any one country due to a dispute.

    Zhengfei said in the interview that the relocation to Canada would be a gradual one, but was necessary as a result of the sanctions.

    “Because of the sanctions, we are not allowed to communicate with our employees in America. No phone calls. No e-mails. No contacts. Huawei’s development has been blocked in America, and therefore we are moving our business to Canada.”

    Meanwhile, Reuters is reporting that the company has been encouraging suppliers to break the law to work around U.S. sanctions against Huawei.

    Commerce Department Secretary Wilbur Ross told Reuters the U.S. government is frustrated by the limitations of blacklisting, since it does nothing to prevent overseas suppliers from selling to Huawei.

    Ross said Huawei has “been openly advocating companies to move their production offshore to get around the fact that we put Huawei on the list. Anybody who does move the product out specifically to avoid the sanction… that’s a violation of U.S. law. So here you have Huawei encouraging American suppliers to violate the law.”

    It’s safe to say the U.S. will likely be looking at additional options to punish Huawei.

  • TikTok Accused of Illegally Collecting Data and Uploading It to China

    TikTok Accused of Illegally Collecting Data and Uploading It to China

    A California student has filed a class-action lawsuit against TikTock, the wildly popular social media app from China. According to a report in the Daily Beast, the suit alleges that TikTok uploads data without user consent—in some cases without a user even creating an account.

    Misty Hong, a student at Palo Alto, claims she downloaded the app but never got around to setting up an account. According to the suit, TikTok created an account using her phone number, and began analyzing videos she took but never uploaded. These videos included a facial scan.

    “The app, she alleges, transferred all of her information to servers owned and operated by companies that cooperate with the Chinese government. She’s filed the lawsuit on behalf of all U.S. residents who have downloaded TikTok, roughly 110 million people.”

    The suit also alleges the app secretly gathers “users’ locations, ages, private messages, phone numbers, contacts, genders, browsing histories, cell-phone serial numbers, and IP addresses. That data was allegedly then sent to Chinese servers.”

    TikTok’s executives have tried to reassure the American public that their data is stored in Virginia, with a backup in Singapore. In a recent New York Times profile, they tried to reassure American users that their data cannot be accessed by Chinese officials. Nonetheless, previous user agreements did stipulate that data could be sent to China. The suit is alleging that practice has continued despite changes to the agreement saying it won’t.

    Convincing users of its independence is a tall order, given that Chinese corporations are required to cooperate with Chinese intelligence when requested. This is partly what has led to Huawei being blacklisted in the U.S. and under scrutiny in many countries around the world.

    U.S. senators have already warned of the threat to national security TikTok may pose, should it be sending data back to China. This lawsuit will only add to those concerns and could result in punitive measures taken against ByteDance, the company that owns TikTok.

    In the meantime, given China’s poor history of respecting individual privacy—including, but not limited to China now requiring facial recognition scans to open a wireless account—this news should come as a surprise to exactly no one.

  • Twitter Making Changes Globally to Comply With Privacy Laws

    Twitter Making Changes Globally to Comply With Privacy Laws

    Reuters is reporting that Twitter is making changes throughout its platform in an effort to comply with privacy legislation around the world.

    The company is aiming to navigate the different laws and jurisdictions impacting how it collects and uses data. The European Union (EU) passed the General Data Protection Regulation (GDPR) last year, one of the most sweeping privacy protection laws in existence. California has its own legislation, the California Consumer Privacy Act (CCPA), going into effect January 1, 2020.

    Twitter is planning on moving accounts for users outside the EU and the U.S. “which were previously contracted by Twitter International Company in Dublin, Ireland, to the San Francisco-based Twitter Inc.” This will allow the company to experiment with different privacy features—figuring out what works and what doesn’t—without worrying about infringing on the GDPR.

    “We want to be able to experiment without immediately running afoul of the GDPR provisions,” Damien Kieran, Twitter’s data protection officer, told Reuters in a phone interview. “The goal is to learn from those experiments and then to provide those same experiences to people all around the world.

    Coinciding with these changes, the company has unveiled a new site, the Twitter Privacy Center, in an effort to keep users informed about Twitter’s privacy efforts, as well as give them more control over their data.

  • TrueDialog Database With Tens of Millions of Texts Left Exposed Online

    TrueDialog Database With Tens of Millions of Texts Left Exposed Online

    According to researchers at privacy firm vpnMentor, millions of Americans’ data is at risk following the discovery of a breached database belonging to TrueDialog. TrueDialog is “the leading SMS provider for mass text messaging, SMS marketing and personalized 2-way SMS texting at scale.”

    vpnMentor’s research team, led by Noam Rotem and Ran Locar, discovered the database, which was linked to “many aspects” of TrueDialog’s business. The database had “millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more.”

    The researchers found the database as part of a web mapping project, using port scanning “to examine particular IP blocks and test open holes in systems for weaknesses.” As ethical hackers, the company tries to identify breaches in an effort to make the web safer. Once a breach is found, they verify the database’s identity and alert the company who owns it.

    In the case of TrueDialog’s database, vpnMentor was able to access it because it was left “completely unsecured and unencrypted.” The database was 604 GB in size and “included nearly 1 billion entries of highly sensitive data.” The entries included account login details, full names, TrueDialog account holders and users, message contents, email addresses, time stamps of sent messages and more.

    vpnMentor says the type of data could make it possible for bad actors to take over TrueDialog customer accounts, engage in corporate espionage, steal identities, run phishing scams and blackmail users.

    Once the researchers verified the threat level, they reached out to TrueDialog to notify them and offer assistance in securing the database. Shortly after, access to the database was shut down, although TrueDialog never contacted vpnMentor.

    The Takeaway

    There are several lessons to be learned from TrueDialog’s data breach.

    • First and foremost, it is beyond shocking and inexcusable for a company of TrueDialog’s size and resources to be so irresponsible with customer data. There is simply no justification for leaving data—let alone highly sensitive data—unencrypted and exposed for the world to see.
    • As a general rule, when privacy researchers alert a company of a data breach, it’s never a good idea to ignore them. Even if steps are taken to fix the issue, ignoring the researchers who found it gives the impression the company doesn’t care or has something to hide.
    • Going silent is never a good response. TechCrunch was just one outlet that reached out to TrueDialog’s chief executive, John Wright, for comment. At the time of writing, John Wright and TrueDialog had not returned requests for comment or even acknowledged the breach. Wright also did not answer any of TechCrunch’s questions about what steps would be taken to alert impacted users, or notify regulators.

    In short, if there’s a single point to take away from TrueDialog’s experience, it’s this: Don’t do anything TrueDialog has done in this case.

  • China Requiring Facial Recognition Scans For Mobile Users

    China Requiring Facial Recognition Scans For Mobile Users

    China is ramping up its attacks on privacy, with new rules due to take effect requiring all citizens to submit to facial recognition scans when registering for mobile service. The BBC is reporting the new rules were first announced in September and went into effect December 1.

    China has been working for years to eliminate online anonymity among its citizens, even requiring online platforms to verify users’ identities before they’re allowed to post content. These new regulations are an effort to “strengthen” the government surveillance system and give them a way to track mobile users.

    According to the BBC, “Jeffrey Ding, a researcher on Chinese artificial intelligence at Oxford University, said that one of China’s motivations for getting rid of anonymous phone numbers and internet accounts was to boost cyber-security and reduce internet fraud.

    “But another likely motivation, he said, was to better track the population: ‘It’s connected to a very centralised push to try to keep tabs on everyone, or that’s at least the ambition.’”

    This goal is much easier in a country like China, where the vast majority of citizens access the internet via their phones. China is already known as a surveillance state, where facial recognition is regularly used to track citizens. This latest move will only increase the government’s surveillance powers.

  • Darktrace CEO: People Are Going To Give a Hard Look At Cloud Security

    Darktrace CEO: People Are Going To Give a Hard Look At Cloud Security

    “People are going to really give a hard look at cloud security,” says Darktrace CEO Nicole Eagan. “At the end of the day, it also says when you have something of this scale why not use some artificial intelligence or something that could have spotted this. Actually what was done was pretty blatant. It was 30 gigabytes of data moving to unusual storage locations. So there were a lot of ways that something like an AI system could have detected this and also prevented it from becoming an issue.”

    Nicole Eagan, CEO of Darktrace, discusses how the Capital One cyber attack happened and how it could have been prevented, in an interview on Bloomberg Technology:

    People Are Going To Really Give a Hard Look At Cloud Security

    There is so much positive momentum around cloud and so many benefits that I don’t anticipate seeing a pendulum swing back to on-prem data centers (because of the Capital One cyber hack). What I do think it means is people are going to really give a hard look at cloud security. This attack was a result of a vulnerability known as a configuration error in a Web Application Firewall that was specific to Capital One. What it does show is these configuration errors are actually really very commonplace. They’re commonplace in on-prem data centers and in cloud.

    This does highlight a few things. It does highlight insider threats, someone who had some insider knowledge. It also highlights supply chain level security. At the end of the day, it also says when you have something of this scale why not use some artificial intelligence or something that could have spotted this. Actually what was done was pretty blatant. It was 30 gigabytes of data moving to unusual storage locations. So there were a lot of ways that something like an AI system could have detected this and also prevented it from becoming an issue.

    Capital One Attack Was Human Error

    Configuration errors are basically a human error. Somebody somewhere made a human error, a mistake. We have to expect that humans are fallible and we’re going to see those type of errors. What’s so strange about this one is how public the disclosure was by the attacker on Twitter and GitHub and other places. That was what made it so unusual but also meant that the investigation moved very quickly. It seems like there’s been quite a bit of transparency as well.

    It’s interesting timing because we’re actually going into Back Hat and DEF CON, which is often known as a summer camp for hackers. There will be literally tens of thousands of people in Las Vegas next week. All of this is going to change the conversation. We’re going to see a lot about cloud security, about 5G security, about encryption and decrypting data, and of course, the evolution towards AI-based attacks. 

    What’s interesting is that people want to kind of say let’s make sure we prevent the kind of attacks we saw in 2016 (regarding the election).  The reality is the way the cybersecurity industry works the attackers keep moving on. They keep changing what’s called threat vectors. I do think we’ll see plenty of threats for 2020 but they may not look anything like the ones we saw in 2016.

    People Are Going To Give a Hard Look At Cloud Security – Darktrace CEO Nicole Eagan
  • Huawei Receives A 90-Day License Extension

    Huawei Receives A 90-Day License Extension

    Reuters is reporting that Huawei has received a 90-day license extension from the Trump administration today, allowing U.S. companies to continue doing business with the telecom equipment provider.

    After being blacklisted by the Trump administration in May, Huawei has been granted extensions that have allowed it to continue doing business with American companies. The move is especially important to rural networks, as many of them depend on Huawei equipment to operate.

    “There are enough problems with telephone service in the rural communities – we don’t want to knock them out. So, one of the main purposes of the temporary general licenses is to let those rural guys continue to operate,” Commerce Secretary Wilbur Ross told Fox Business Network.

    The U.S. has long maintained that Huawei’s ties to the Chinese government make it a threat to national security. All Chinese companies can be impressed into service, assisting the Chinese government in intelligence gathering. Huawei, however, seems to have much closer ties to the government than many other companies. The U.S., and its allies, believe Huawei’s equipment has backdoors that are being used to assist the Chinese government. The company has also faced multiple allegations of intellectual property theft.

    In spite of its reputation, there’s no denying that Huawei is the world leader in 5G telecom equipment. Network operators around the world have warned governments that banning Huawei would result in years of delay and billions in additional cost to 5G rollouts.

    Today’s extension for Huawei is another reminder just how hard it will be to completely replace the company.

  • Need Power When Traveling? Beware of USB Charging Stations

    Need Power When Traveling? Beware of USB Charging Stations

    The Los Angeles Times is reporting on the dangers of “juice jacking,” a method where hackers hijack a USB port to steal information from a phone or tablet.

    As the LA Times reports, this is not a new problem and has been around for some time. It’s recently regained national attention, however, in the wake of a warning by the LA District Attorney’s office about “criminals [who] load malware onto charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users.”

    The issue is especially a concern when so many people are traveling for the holidays, putting a strain on their device’s battery life. With people relying on their phones for navigation, flight information, hotel reservations, not to mention entertainment while traveling, it can be extremely tempting to plug in to the nearest USB charging station.

    In an email to the LA Times, however, Paul Bischoff, a privacy advocate with Comparitech warned of the danger:

    “Just as you wouldn’t plug an unfamiliar USB drive into your laptop, you shouldn’t plug your phone into an unfamiliar USB charger. Our devices have fewer defenses against attacks from physically connected devices than (from) attacks from the internet. The malware can also be much more severe with physical access to hardware.”

    A much better option for travelers is to use a standard outlet, in conjunction with their own charging cable. Another option is a battery pack, many of which have enough power to charge a smartphone several times over. These devices can be had for as little as $12, a small price to pay compared to identify theft.

  • Roughly 100 Developers May Have Improperly Accessed FaceBook Groups Data

    Roughly 100 Developers May Have Improperly Accessed FaceBook Groups Data

    The last few weeks have seen the news go from bad to worse for Facebook, especially on the privacy front. Now the company is admitting that roughly 100 developers may have improperly accessed Groups member data.

    In April 2018, Facebook made changes to the Groups API to limit what information administrators could access. Prior to the change, admins could see identifiable information, such as member names and profile pictures. Following the change, group members would have to opt-in for an admin to see that information—at least in theory.

    According to Konstantinos Papamiltiadis, Facebook’s Platform Partnerships Head, an ongoing review discovered that some 100 developers had retained access to member information. Papamiltiadis said the company had taken steps to address the issues.

    “We have since removed their access. Today we are also reaching out to roughly 100 partners who may have accessed this information since we announced restrictions to the Groups API, although it’s likely that the number that actually did is smaller and decreased over time. We know at least 11 partners accessed group members’ information in the last 60 days. Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted.”

    The post also made a point of promising that the company would continue to improve moving forward.

    “We aim to maintain a high standard of security on our platform and to treat our developers fairly. As we’ve said in the past, the new framework under our agreement with the FTC means more accountability and transparency into how we build and maintain products. As we continue to work through this process we expect to find more examples of where we can improve, either through our products or changing how data is accessed. We are committed to this work and supporting the people on our platform.”

    Given the current political climate, with politicians on both sides of the aisle increasingly looking at Facebook as a threat to privacy—and some even calling for its breakup—the company will need to do better to convince authorities and users alike that it can be trusted.