InfoSec News Nuggets – September 24, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – September 24, 2018

Google responds to lawmaker concerns over Gmail scanning

In July, Senators John Thune (R-SD), Roger Wicker (R-MS) and Jerry Moran (R-KS) sent Google a letter that sought information on Google’s practice of allowing third-party app developers access to its users’ emails. While Google stopped scanning Gmail messages for ad-targeting purposes earlier this year, it still offers access to others if users give their consent. Now, Google has replied to the lawmakers’ letter. In it, Susan Molinari, Google’s VP of public policy and government affairs, confirmed that Google does allow third parties to access Gmail data, a practice the company described in a blog post earlier this year. “Before a developer can access a Gmail user’s data, they must obtain consent from the user,” she wrote. “And they must have a privacy policy that details how the data will be used.”

Facebook will stop on-site support for political campaigns

Facebook said on Thursday that it would no longer dispatch employees to the offices of political campaigns to offer support ahead of elections, as it did with U.S. President Donald Trump in the 2016 race. The company and other major online ad sellers including Alphabet’s Google and Twitter have long offered free dedicated assistance to strengthen relationships with top advertisers such as presidential campaigns. Brad Parscale, who was Trump’s online ads chief in 2016, last year called onsite “embeds” from Facebook crucial to the candidate’s victory. Facebook has said that Democratic challenger Hillary Clinton was offered identical help, but she accepted a different level than Trump. Google and Twitter did not immediately respond to requests to comment on whether they also would pull back support.

Amazon is turning the Echo into a security system

Amazon is adding a few new features to the Echo that turn it into one of the basic pieces of a smart security system. Since Echo speakers are always listening, they’ll be able to start listening for the sound of broken glass, or for a smoke or carbon monoxide alarm to go off. If it hears those sounds while you’re out of the house, it’ll be able to send a notification to your phone; or, if you have a supported professional monitoring system, send it directly to the service monitoring your home. The feature set is being called Alexa Guard. It won’t be working at all times — instead, you’ll have to enable it when you leave the house, by telling Alexa that you’re leaving. Once you do, it’ll start monitoring and be ready to send you alerts.

Canadian retailer’s servers storing 15 years of user data sold on Craigslist

A security researcher has found customer and employee data belonging to one of Canada’s biggest PC hardware retailers on servers put up for sale on Craigslist. The data, believed to go back as far as 15 years, belongs to NCIX, a PC retailer that filed for bankruptcy and closed shop in December 2017. The massive privacy breach appears to have taken place after the retailer closed its stores last year and retired old servers and employee workstations. It’s unclear how these servers ended up advertised on Craigslist, but they did. Travis Doering of Privacy Fly discovered an ad for two servers in August.

Vote Leave data firm hit with first ever GDPR notice

A Canadian analytics firm that worked for Vote Leave has received the UK’s first formal notice under a key data law, the UK’s data protection watchdog has confirmed. AggregateIQ (AIQ) was accused of processing people’s data “for purposes which they would not have expected”. The firm has appealed against the notice, which was issued by the UK’s Information Commissioner’s Office. Law firm Mishcon de Reya said the notice was “significant”. If the company fails to appeal to the ICO’s notice or does not comply with it, it could face a large fine.

U.S. Justice Department may delay meeting on possible social media bias

The Justice Department is considering delaying a meeting with state attorneys general planned for next week to discuss concerns about conservative voices being stifled on social media, according to a person familiar with the discussions. Companies like Facebook Inc, Twitter Inc and Google owner Alphabet Inc have been accused by some conservatives of allegedly seeking to exclude their ideas. The companies deny any such bias. The Justice Department said last week it had invited a bipartisan group of 24 state attorneys general to attend the Sept. 25 meeting. So far, the attorneys general of California, Nebraska, South Carolina and Texas have said they would attend.

California may ban terrible default passwords on connected devices

California looks set to enact a law that aims to protect connected devices against hackers. The state senate has sent Governor Jerry Brown draft legislation that could beef up security across the vast ocean of smart gadgets. If a device requires you to sign in, manufacturers will either have to use unique preprogrammed passwords — see ya never, username: admin/password: admin — or make you change the credentials the first time you use it. Companies will also have to “equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device.”

Details of 12-year employee’s role in UMass Memorial data breaches

UMass Memorial Medical Center Inc. and UMass Memorial Medical Group Inc. will pay $230,000 to the state after two former employees for personal fraudulent purposes exposed the personal and health information of more than 15,000 state residents, Attorney General Maura Healey announced Thursday. The two former employees in separate breaches over several years accessed patients’ information — including names, addresses, genders, dates of birth, phone numbers, Social Security numbers, clinical information and health insurance information — for fraudulent purposes, such as opening cellphone and credit card accounts, Internet accounts and utility service accounts, the AG announced in a news release. The two UMass Memorial entities were told about the employees’ misconduct, but failed to properly investigate complaints, the AG’s office maintains in its complaint, filed last week along with a consent judgment in Suffolk Superior Court.

Inside the Search Engine That Spots Traffickers, Terrorists and Money Launderers

Search the phrase “sex trafficking” on Google, and your first result is a link to the national human trafficking hotline. Scroll down and you’ll find stories about convicted traffickers, explainer pieces on modern-day slavery and loads of anti-trafficking advocacy groups. What you won’t see are the sites where humans are being bought and sold. That’s because Google’s search engine isn’t optimized to show those platforms, and the vast majority reside on the “deep web,” the unindexed internet that search engines can’t access. But using a machine-learning tool with roots in military research, investigators can quickly scour the internet for those unsavory marketplaces and work to shut them down.

AdGuard resets all user passwords after credential stuffing attack

AdGuard, a popular ad blocker for Android, iOS, Windows, and Mac, has reset all user passwords, the company’s CTO Andrey Meshkov announced today. The company took this decision after suffering a brute-force attack during which an unknown attacker tried to log into user accounts by guessing their passwords. Meshkov said the attacker used emails and passwords that were previously leaked into the public domain after breaches at other companies. This type of attack –using leaked usernames and passwords to hack into accounts at other services– is known as credential stuffing.

Unusual IoT Botnet Removes Cryptomining Malware from Devices

Security researchers have come across an unusual new botnet that infects Android devices over the debugging interface then searches for and removes cryptocurrency malware. The new botnet, dubbed Fbot by researchers from Qihoo 360’s Netlab team, is related to another malware program called Satori, whose source code was leaked online in January. Satori itself is based on Mirai, one of the largest and most damaging IoT botnets in history. “So far the only purpose of this botnet looks to be just going after and removing another botnet com.ufo.miner,” a variant of the ADB.Miner malware family that propagates over the Android debugging bridge (ADB), the researchers said in a blog post. Fbot might have been created by an internet vigilante with the sole purpose of removing cryptomining malware. If that’s the case, it wouldn’t be the first time when a vigilante botnet was created.

Artificial Intelligence: The Robots Are Now Hiring

Hiring is undergoing a profound revolution. Nearly all Fortune 500 companies now use some form of automation — from robot avatars interviewing job candidates to computers weeding out potential employees by scanning keywords in resumes. And more and more companies are using artificial intelligence and machine learning tools to assess possible employees. DeepSense, based in San Francisco and India, helps hiring managers scan people’s social media accounts to surface underlying personality traits. The company says it uses a scientifically based personality test, and it can be done with or without a potential candidate’s knowledge. The practice is part of a general trend of some hiring companies to move away from assessing candidates based on their resumes and skills, towards making hiring decisions based on people’s personalities.

AI learns to decipher images based on spoken words—almost like a toddler

Babies learn words by matching images to sounds. A mother says “dog” and points to a dog. She says “tree” and points to a tree. After repeating this process thousands of times, babies learn to recognize both common objects and the words associated with them. Researchers at MIT have developed software with the same ability to learn to recognize objects in the world using nothing but raw images and spoken audio. The software examined about 400,000 images, each paired with a brief audio clip describing the scene. By studying these labels, the software was able to correctly label which portions of the picture contained each object mentioned in the audio description.

Hackers Target Real Estate Deals, With Devastating Impact

James and Candace Butcher were ready to finalize the purchase of their dream retirement home, and at closing time wired $272,000 from their bank following instructions they received by email. Within hours, the money had vanished. Unbeknownst to the Colorado couple, the email account for the real estate settlement company had been hacked, and fraudsters had altered the wiring instruction to make off with the hefty sum representing a big chunk of the Butchers’ life savings, according to a lawsuit filed in state court. A report by the FBI’s Internet Crime Complaint Center said the number of victims of email fraud involving real estate transactions rose 1,110 percent between 2015 to 2017 and losses rose nearly 2,200 percent.

Key companies to attend White House quantum computing meeting

The White House will hold a meeting on Monday on U.S. government efforts to boost quantum information science, with administration officials, leading companies including Alphabet Inc, IBM Corp, JPMorgan Chase & Co and academic experts taking part. Quantum computers could operate millions of times faster than today’s advanced supercomputers. Experts have said the promising technology, still in its infancy, could have a major impact on healthcare, communications, financial services, transportation, artificial intelligence, weather forecasting and other areas.

Millions of Twitter Users Affected by Information Exposure Flaw Twitter has patched a bug that may have caused direct messages to be sent to third-party developers other than the ones users interacted with. The problem existed for well over a year and it impacted millions of users. According to Twitter, the issue is related to the Account Activity API (AAAPI), which allows developers registered on the social network’s developer program to build tools designed to better support businesses and their customer communications on the platform. Users who between May 2017 and September 10, 2018, interacted with an account or business on Twitter that relied on a developer using the AAAPI may have had their messages sent to a different registered developer.