InfoSec News Nuggets 3/3/2020

1 - Walgreens says mobile app leaked users' personal data Walgreens, the second-largest pharmacy store in the US, said on Friday that its official mobile app contained a bug that exposed the personal details of some of its users. The leak, described as "an error within the Walgreens mobile app personal secure messaging feature," exposed details such as first and last name, prescription details, store number, and shipping addresses, where available. "Our investigation determined that an internal…
Read More

InfoSec News Nuggets 3/2/2020

1 - DNC warns campaigns about cybersecurity after attempted scam An online “impersonator” of a Democratic National Committee (DNC) staffer tried to contact presidential campaigns, including Sen. Bernie Sanders’s (I-Vt.) campaign, the committee said in a statement to the candidates Wednesday. Bob Lord, the DNC’s chief security officer, wrote in an email to the campaigns obtained by The Hill that “adversaries will often try to impersonate real people on a campaign." He added that the “adversaries”…
Read More

InfoSec News Nuggets 2/28/2020

1 - Clearview AI's entire client list stolen in data breach Clearview AI, a facial-recognition software maker that has sparked privacy concerns, said Wednesday it suffered a data breach. The data stolen included its entire list of customers, the number of searches those customers have made and how many accounts each customer had set up. "Security is Clearview's top priority," Tor Ekeland, Clearview AI's attorney, said in a statement. "Unfortunately, data breaches are part of life in…
Read More

InfoSec News Nuggets 2/27/2020

1 - FCA admits data breach The Financial Conduct Authority has admitted it had revealed the confidential details of consumers on its website in a data breach last year. In a statement published today (February 25) the regulator said it had referred itself to the Information Commissioner’s Office over the incident, which occurred in November 2019. In response to a Freedom of Information request the FCA mistakenly published on its website the details of individuals who had made…
Read More

InfoSec News Nuggets 2/26/2020

1 - Google denies claims that free school Chromebooks are illegally collecting student data Google has branded claims made in a new lawsuit that free school Chromebooks are harvesting student information in violation of COPPA as "factually wrong." The lawsuit, filed against the tech giant on Thursday by New Mexico Attorney General Hector Balderas, alleges that Google is illegally collecting data belonging to minors. According to the complaint (.PDF), Chromebooks offered to schools in the area for free…
Read More

InfoSec News Nuggets 2/25/2020

1 - Developers Hack McDonald’s Reward System to Get Free Hamburgers A couple of German software developers discovered an oversight in McDonalds’ promotion systems that allowed them to get as many hamburgers as they wanted, without paying anything. While software vulnerabilities or loopholes are sometimes used for nefarious purposes, that’s not always the case. The same can be said of white hackers and software developers who want to make the online world a safer place.…
Read More

InfoSec News Nuggets 2/24/2020

1 - Safari to snub new security certs valid for more than 13 months Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser. The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to…
Read More

InfoSec News Nuggets 2/21/2020

1 - MGM hack exposes personal data of 10.6 million guests The personal information of 10.6 million guests who stayed at MGM Resorts hotels was hacked last summer. The hack was first reported by ZDNet on Wednesday, which said the stolen information was posted to a hacking forum this week. MGM confirmed the attack took place to the BBC. The data exposed included names, address, and passport numbers for former guests. MGM said it was…
Read More

InfoSec News Nuggets 2/20/2020

1 - Estonian foreign intelligence warns of growing cyber threats from Russia Russia will continue to engage in cyber operations to threaten Western nations, with sanctions so far proving ineffective. The warning comes from the Estonian Foreign Intelligence Service (EFIS), which in its 2020 annual threat assessment report states that Russian cyber operations have been successful so far and will continue to look for new security vulnerabilities to exploit in coming months. "In 2019, Russian…
Read More

InfoSec News Nuggets 2/19/2020

1 - IRS Urges Taxpayers to Enable Multi-Factor Authentication The US Internal Revenue Service (IRS) and Security Summit partners urged tax professionals and taxpayers today to enable multi-factor authentication (MFA) in their tax preparation software products to defend against data theft. "Already, nearly two dozen tax practitioner firms have reported data thefts to the IRS this year," the IRS said. "Use of the multi-factor authentication feature is a free and easy way to protect clients and practitioners' offices…
Read More

InfoSec News Nuggets 2/18/2020

1 - Reuters Partners With Facebook For Fact-Checking Program Reuters has joined Facebook’s fact-checking crusade. As part of the social network’s third-party program, Reuters will comb through photos, videos, headlines, and other content—in the run-up to the U.S. election and beyond—to verify information in English and Spanish. The global news provider will then publish its findings on a specially created blog. “We are steadfastly recognizing the magnitude of misinformation taking place around the world. It’s a…
Read More

InfoSec News Nuggets 2/14/2020

1 - Apple joins Microsoft, Samsung, Intel in FIDO security alliance Apple has now joined the FIDO or "Fast Identity Online" Alliance, several years after competitors including Microsoft, Samsung, Intel and Google. FIDO is concerned with fostering and promoting higher security for users, and specifically using authentication technology such as biometric sensors rather than passwords. FIDO was formed in July 2012 by a small group of companies including PayPal and Lenovo. Its open specifications called…
Read More

InfoSec News Nuggets 2/13/2020

1 - Robot with coronavirus advice hits Times Square Worried about the spread of coronavirus? A five-foot tall (1.5 meter) Promobot might have your answer. The robot with a friendly face rolled into Times Square on Monday to help provide information about the new virus. Curious passersby stopped, filled out a short questionnaire on an iPad-like touch screen attached to the robot’s chest, and even had a conversation with the machine. Promobot was created by…
Read More

InfoSec News Nuggets 2/12/2020

1 - Software errors plague Boeing's Calamity Capsule Troubled aerospace giant Boeing will "re-verify" the flight software code for its calamity capsule, the CST-100 Starliner, after it was revealed that December's anomaly could have been a lot, lot worse. Boeing had already coughed to a timer error that made the spacecraft's internal clock 11 hours out of whack while sat on the Atlas V. The result was that the Starliner managed to burn through its attitude control…
Read More

InfoSec News Nuggets 2/11/2020

1 -  FBI is investigating more than 1,000 cases of Chinese theft of US technology Members of the US government held a conference in Washington this week on the topic of Chinese theft of intellectual property from US technology firms and the US academic sector. Officials said the purpose of the conference -- named the China Initiative Conference -- was to bring the US private sector and the academic and research communities up to speed…
Read More

InfoSec News Nuggets 2/10/2020

1 - Data Breach at Mitsubishi Electric Caused by Zero-Day Vulnerability in Antivirus Software When antivirus software is installed and activated, there is usually an assumption that the system is automatically safer. Antivirus software can be penetrated just like any other software can, however, as a 2019 data breach at Japanese electronics giant Mitsubishi Electric demonstrates. Mitsubishi Electric did not disclose what software they were using or exactly what the nature of the data breach…
Read More

InfoSec News Nuggets 2/7/2020

1 - No expectation of privacy in an IP address, Alberta judge rules Police in Alberta don’t need a court order to get an external IP address from a service provider in trying to identify an internet user, according to a recent Calgary judicial ruling. The decision is a first in Canadian privacy law. The precedent applies for now only in Alberta but it will be cited in other courts across the country and could be…
Read More

InfoSec News Nuggets 2/6/2020

1 - Maze ransomware publicly shaming victims into paying At least five law firms have been hit and held hostage by the Maze ransomware group in the last four days with these attacks being part of a wider campaign possibly affecting between 45 and 180 total victims in January. Maze is using a somewhat unique tactic with its latest victims. Instead of simply placing a ransom note on the infected system and waiting for payment,…
Read More

InfoSec News Nuggets 2/5/2020

1 - Magecart group jumps from Olympic ticket website to new wave of e-commerce shops A Magecart group has expanded its operations by compromising not only an Olympic ticket reseller but also a number of other websites referencing a single malicious domain hosting the underlying skimmer code. Magecart is a term used to describe the use of skimmer code to compromise e-commerce payment platforms. Legitimate websites seemingly fine to trust -- the British Airways portal and Ticketmaster being prime examples…
Read More

InfoSec News Nuggets 2/4/2020

1 - $20,000 up for grabs in Xbox Live security hole hunt Microsoft is inviting gamers, security researchers, and technologists to pit their wits against the Xbox network in the search for security vulnerabilities. With a newly-announced bug bounty, Microsoft is inviting bug hunters to responsibly disclose bugs and flaws that could potentially be exploited by criminals. The company’s hope is clearly that by strengthening the Xbox Live network it will improve the experience for the…
Read More

InfoSec News Nuggets 2/3/2020

1 - Tinder and Bumble under investigation over underage use, sex offenders, and data handling Yesterday, the US House Oversight and Reform subcommittee announced an investigation into popular dating apps including Tinder, Grindr, and Bumble for allegedly allowing minors and convicted sex offenders to use their services. In a press release issued yesterday, the Chairman of the subcommittee, Raja Krishnamoorthi, sent letters to Match Group, Inc — the parent company of major dating apps — seeking…
Read More

InfoSec News Nuggets 1/31/2020

1 - Avast Antivirus Is Shutting Down Its Data Collection Arm, Effective Immediately Avast, an antivirus program with more than 435 million users worldwide, said it will stop collecting and selling the private web browsing histories of its users following a joint investigation by Motherboard and PCMag into the sale of that data. In addition, Avast said it will completely shut down Jumpshot, the subsidiary company it used to sell this data. Our investigation found that Avast,…
Read More

InfoSec News Nuggets 1/30/2020

1 - Hackers stole $13,103.91 from me. Learn from my mistakes. It began with dumplings. When I got an email at midnight last March from Grubhub notifying me that my order from Dumpling Depot was on its way to an address 3,000 miles away from my location in New York City, I thought there must have been some mistake. And there was: mine. Because I didn’t take a few basic internet security precautions, hackers robbed…
Read More

InfoSec News Nuggets 1/29/2020

1 - Watch out Google. You've got competition. Verizon has a new 'privacy-focused' search engine Verizon has slung out a new, privacy-focused search engine in an effort to win over customers who prefer not to have their browsing habits tracked by ad-slingers and the like. Verizon said the new search engine, named One Search, won't share user's personal information with advertisers, or store their search history. A new "Advanced Privacy Mode" will encrypt search terms…
Read More

InfoSec News Nuggets 1/28/2020

1 - Leaked Documents Expose the Secretive Market for Your Web Browsing Data An antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world's biggest companies, a joint investigation by Motherboard and PCMag has found. Our report relies on leaked user data, contracts, and other company documents that show the sale of this data is both highly sensitive and is in…
Read More

InfoSec News Nuggets 1/27/2020

1 - Canadian teen calls cops after fake ID doesn’t arrive, prompts police warning on identity theft scams A Canadian teen’s bizarre call to police on Tuesday to report that the fake ID they ordered online never arrived has authorities stepping up efforts to warn of potential identity theft scams. Const. Ed Sanchuk, of the Ontario Provincial Police, West Region, shared in a video message Wednesday that an unnamed Norfolk County teenager reported the fraud. An investigation determined the teen found an online seller who…
Read More

InfoSec News Nuggets 1/24/2020

1 - Soft robotic hands may soon have a firm grip on the industry Soft Robotics, a company that develops enterprise level soft robotic grippers for a variety of materials handling and pick and place applications, is on a roll. After securing a high level strategic partnership in 2019, the company has announced an oversubscribed Series B worth $23M. Back in December, Soft Robotics rolled out an innovative adaptable gripper system designed especially to work with FANUC robots…
Read More

InfoSec News Nuggets 1/23/2020

1 - FBI Warns Job Applicants of Scams Using Spoofed Company Sites FBI's Internet Crime Complaint Center (IC3) today issued a public service announcement to warn about scammers using spoofed company websites and fake job listings to target applicants. "Since early 2019, victims have reported numerous examples of this scam to the FBI. The average reported loss was nearly $3,000 per victim, in addition to damage to the victims’ credit scores," the FBI says. "While hiring…
Read More

InfoSec News Nuggets 1/22/2020

1 - Smart homes will turn dumb overnight as Charter kills security service Charter is killing its home-security service and telling customers that security devices they've purchased will stop working once the service is shut down on February 5. The impending shutdown and customers' anger at Charter—a cable company also known by the brand name "Spectrum"—has been widely reported over the past month. Over the years, some customers have spent large sums on products that will no longer work.…
Read More

InfoSec News Nuggets 1/21/2020

1 - Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices. The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices…
Read More

InfoSec News Nuggets 1/20/2020

1 - Georgia election server showed signs of tampering, expert says A computer security expert says he found that a forensic image of the election server central to a legal battle over the integrity of Georgia elections showed signs that the original server was hacked. The server was left exposed to the open internet for at least six months, a problem the same expert discovered in August 2016. It was subsequently wiped clean in mid-2017 with no notice, just…
Read More

InfoSec News Nuggets 1/17/2020

1 - Proof-of-concept exploits published for the Microsoft-NSA crypto bug Security researchers have published earlier today proof-of-concept (PoC) code for exploiting a recently-patched vulnerability in the Windows operating system, a vulnerability that has been reported to Microsoft by the US National Security Agency (NSA). The bug, which some have started calling CurveBall, impacts CryptoAPI (Crypt32.dll), the component that handles cryptographic operations in the Windows OS. According to a high-level technical analysis of the bug from cyber-security researcher…
Read More

InfoSec News Nuggets 1/16/2020

1 - Production company data breach exposes personal data of Dove ‘real people’ ad participants A data breach at UK-based Fresh Film Productions, which makes adverts for high-profile companies including Unilever, has exposed sensitive personal data of participants in antiperspirant brand Dove’s ‘real people’ campaign. The company inadvertently exposed the data, which included bank details and passport scans, by leaving a company server hosted online on an unsecured Amazon Web Services S3 bucket. This meant…
Read More

InfoSec News Nuggets 1/15/2020

1 - Texas school district falls for email scam, hands over $2.3 million A successful phishing scam has left a Texan school district $2.3 million out of pocket. Last week, the Manor Independent School District, in Manor, Texas, said an inquiry is underway to track down the cybercriminals responsible for the fraudulent email campaign. Phishing emails were sent to the organization in November, leading to three separate transactions taking place. An employee uncovered the scheme a month later,…
Read More

InfoSec News Nuggets 1/14/2020

1 - Australia Bushfire Donors Affected by Credit Card Skimming Attack Attackers have compromised a website collecting donations for the victims of the Australia bushfires and injected a malicious script that steals the payment information of the donors. This type of attack is called Magecart and involves hackers compromising a web site and injecting malicious JavaScript into eCommerce or checkout pages. These scripts will then steal any credit cards or payment information that is submitted and send it off…
Read More

InfoSec News Nuggets 1/13/2020

1 - Facebook Is Forcing Its Moderators to Log Every Second of Their Days — Even in the Bathroom When Valera Zaicev began working in Dublin as one of Facebook’s moderators a couple years ago, he knew he’d be looking at some of the most graphic and violent content on the internet. What he didn’t know was that Facebook would be counting the seconds of his bathroom breaks. “People have to clock in and clock…
Read More

InfoSec News Nuggets 1/10/2020

1 - Jussie Smollett investigation: Judge orders Google to turn over a full year of the actor’s data as part of special prosecutor probe A Cook County judge has ordered Google to turn over Jussie Smollett’s emails, photos, location data and private messages for an entire year as part of the special prosecutor’s investigation into the purported attack on the actor. Two sweeping search warrants, obtained by the Chicago Tribune, provide the first public glimpse…
Read More

InfoSec News Nuggets 1/9/2020

1 - U of O gives notice of potential privacy breach impacting 188 people The University of Ottawa has given notice of a potential privacy breach impacting 188 people, including elementary and high school students who attended a summer program on campus. The breach stems from an incident in late November 2019 when a password-protected laptop was stolen from a university employee’s vehicle, the administration said in a press release on Friday. The laptop was used for Destination Clic,…
Read More

InfoSec News Nuggets 1/8/2020

1 - Cybercriminals Fill Up on Gas Pump Transaction Scams Ahead of Oct. Deadline Gas stations are gearing up for a major change in credit-card fraud liability in October, when they will find themselves on the hook for card-skimming attacks at the pump. In the meantime though, cybercriminals will be targeting pay-at-the-pump point-of-sale mechanisms with a vengeance, researchers say. Fuel pumps represent a last bastion of non-encrypted transactions. Unlike when customers pay inside, the pump…
Read More

InfoSec News Nuggets 1/7/2020

1 - U.S. Government Issues Warning About Possible Iranian Cyberattacks Christopher C. Krebs, Director of Cybersecurity and Infrastructure Security Agency issued a warning about a potential new wave of Iranian cyber-attacks targeting U.S. assets after Maj. Gen. Qassim Suleimani was killed by a U.S. airstrike at the Baghdad airport in Iraq. "Given recent developments, re-upping our statement from the summer," Krebs said in a rare warning on Twitter.  "Bottom line: time to brush up on Iranian TTPs and pay close…
Read More

InfoSec News Nuggets 1/6/2020

1 - CCPA Kickoff: What Businesses Need to Know New year, new privacy regulations: The California Consumer Privacy Act (CCPA) went into effect on January 1, marking the start of a widespread law that will likely have implications beyond state lines. For businesses, it's high time to think about what this means and how to get ahead. CCPA, the original version of which was passed in 2018, was introduced to protect the personal data of…
Read More

InfoSec News Nuggets 1/3/2020

1 - Apple answers dev concerns that location tracking alerts will upset users When Apple released iOS 13 towards the end of September 2019 it brought with it a new warning that told users when an app repeatedly accessed their location data in the background. A new Wall Street Journal report (via MacRumors) notes that developers are worried that the alerts will make users doubt their apps. But Apple isn't concerned. According to the report…
Read More

InfoSec News Nuggets 1/2/2020

1 - Secure New Internet-Connected Devices During the holidays, internet-connected devices—also known as Internet of Things (IoT) devices—are popular gifts. These include smart cameras, smart TVs, watches, toys, phones, and tablets. Although this technology provides added convenience to our lives, it often requires that we share personal and financial information over the internet. The security of this information, and the security of these devices, is not guaranteed. For example, vendors often store personal information in…
Read More

InfoSec News Nuggets 12/31/2019

1 - 160,000 Belgian Allianz Partners clients affected by data theft An Allianz Partners strongbox containing back-up copies of data related to disaster claims was stolen in the Netherlands in August, the insurance and assistance company disclosed on Friday. According to an audit and analysis of the documents concerned, the strongbox contained data on 160,000 Belgian customers who had filed claims for disasters or breakdowns under their assistance contracts or travel insurance. The strongbox was…
Read More

InfoSec News Nuggets 12/30/2019

1 - A Twitter app bug was used to match 17 million phone numbers to user accounts A security researcher said he has matched 17 million phone numbers to Twitter  user accounts by exploiting a flaw in Twitter’s Android app. Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter’s contacts upload feature. “If you upload your phone number, it fetches user data in return,” he told TechCrunch. He said…
Read More

InfoSec News Nuggets 12/27/2019

1 - Chinese malware broker behind US hacks is now teaching computer skills in China A Chinese malware broker who was sentenced in the United States this year for dealing in malicious software linked to major hacks is back at his old workplace: teaching high-school computer courses, including one on Internet security. Mr Yu Pingan, who spent 18 months in a San Diego federal detention centre, had pleaded guilty to conspiracy to commit computer hacking.…
Read More

InfoSec News Nuggets 12/26/2019

1 - Apple eyes satellite internet for data project Apple is reportedly hiring engineers to help deliver a satellite project that would beam internet services directly to devices without the aid of mobile networks. Bloomberg reports that Apple has an early stage project with about 12 engineers from the aerospace, satellite and antenna design industries who hope to launch the project within five years. Exactly what Apple is cooking up is not clear and it could have…
Read More

InfoSec News Nuggets 12/23/2019

1 - FBI program offers companies data protection via deception The Federal Bureau of Investigations is in many ways on the front lines of the fight against both cybercrime and cyber-espionage in the US. These days, the organization responds to everything from ransomware attacks to data thefts by foreign government-sponsored hackers. But the FBI has begun to play a role in the defense of networks before attacks have been carried out as well, forming partnerships with some…
Read More

InfoSec News Nuggets 12/20/2019

1 - The weird future of brain-computer interfaces: Replacing passwords with thoughts and mind-reading bosses who can tell when you are bored Brain computer interfaces may sound futuristic, but adoption of such systems -- which allow signals from the brain to be recorded or used to control technology -- is on the rise. Much of the development work going on around BCIs is focused on medical uses for the tech, but consumer applications of BCIs…
Read More

InfoSec News Nuggets 12/19/2019

1 - ISIS Is Experimenting with This New Blockchain Messaging App The Islamic State has discovered blockchain. The technology that powers cryptocurrencies like bitcoin and ethereum promises to revolutionize almost all facets of society, from payment processing to online voting. Now ISIS is actively testing a blockchain-based messaging app that could provide everything it needs to thrive: secure, anonymous communication, a tamper-proof repository for beheading videos and other ISIS propaganda, and perhaps most ominously, the…
Read More