FBI to Internet Users: Don’t Let Your Browser Remember Your Password

The U.S. Federal Bureau of Investigation this week offers some radical tips for private Internet users and businesses alike. Chief among them: disable autofill and remembering passwords.

It’s not entirely clear whether the FBI’s tips are meant to ensure online safety during the Coronavirus scare. Regardless, these dos and don’ts arrive amid a wave of Coronavirus-fueled scams circling the globe, so the tips come at an opportune time.

“Web browsers are how your devices access the Internet,” according to the Oregon FBI’s Tech Tuesday segment. “They are, by nature, open to the world through contact with other machines connected to the Internet. Because of this, they’re a natural place for hackers to try to break into your networks.”

The Bureau warns Internet users that leaving default settings on for the browsers we use can leave us vulnerable to hackers. It also notes that each browser has differing levels of built-in privacy and security. It advises organizations, specifically, to “figure out which browser offers the privacy and security your staff is looking for.”
To maximize privacy and security, the FBI recommends that you:

• Disable autofill, remembering passwords, and browsing histories
• Do not accept cookies from third parties
• Clear all forms of browser history when closing the browser
• Block ad tracking
• Enable ‘do not track’ requests to be sent to websites
• Disable browser data collection
• When certificates are requested, ensure the browser requests your permission to provide them
• Disable cache (or storing) of web pages or other content, or set the cache size to zero
• Enable browser capabilities to block malicious, deceptive, or dangerous content

Users who choose to use add-ons to manage their online safety are told to do some research to check for any negative reports about the add-ons’ performance. Browsers are to be kept up to date and users should check the browsers themselves are owned by reputable companies, “preferably in the US,” the agency recommends. The reason?

“Other countries may have different laws about what browser companies must provide to foreign governments, which means your information on a foreign-owned app or browser may have less legal protection than it would in the United States,” the FBI notes.

Some VPN Apps Secretly Gather Anonymized User Data

Some VPN Apps Secretly Gather Anonymized User Data

An investigation has revealed that Sensor Tower, a tech platform that allows developers to gather usage data, has been collecting information about millions of users from apps such as VPNs and ad-blockers.

According to a BuzzFeed News investigation, Sensor Tower owned numerous other apps in the past five years, such as various VPN and ad-blocking solutions. While many of these apps are no longer in use, a lot of anonymized data was collected and still exists.

The problem resides with a root certificate that apps such as Free and Unlimited VPN or Adblock Focus were installing on users’ devices. Since installing root certificates, via the official app stores, is not permitted, the developer skirted the limitation by prompting users to install the certificate from a website.

“When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense — especially considering our history as a startup,” said Randy Nelson, Sensor Tower’s head of mobile insights, trying to explain why they built apps this way. 

He also said no personal data is collected from users and many of the apps owned by Sensor Tower no longer exists. As it turns out, many of the apps the company owned were actually removed from the official app store for various violations. 

“We take the app stores’ guidelines very seriously and make a concerted effort to comply with them, along with any changes to these rules that occur from time to time,” Nelson added.

There’s no indication that the practice of collecting data from such apps stopped, so users should seriously think about who they are giving personal information to, even if it’s technically anonymized.

Secret-sharing app Whisper failed to keep users’ fetishes and locations private

Secret-sharing app Whisper failed to keep users' fetishes and locations private

Launched in 2012, the Whisper app declared itself to be a place where anyone could post their private thoughts and extreme confessions anonymously. In its promotional material it describes itself as “the largest online platform where people share real thoughts and feelings… without identities or profiles.”

Tens of millions of active users every month trust Whisper with their secrets, seemingly unafraid of being identified as they share everything ranging from guilty pleasures and personal struggles to bad boyfriends and taboo fetishes.

The one thing that all users had in common was that they believed their sometimes extreme confessions were being posted safely, without danger that they could be identified.

But now security researchers have raised the alarm after discovering that hundreds of millions of Whisper users’ intimate messages, tied to their locations, were publicly available.

As The Washington Post reports, a Whisper database was left exposed on the internet for anybody to access – no password required.

Matthew Porter and Dan Ehrlich of Twelve Security revealed that they had been able to access almost 900 million user records, dating from the app’s release in 2012 to the present day.

Fortunately the exposed records did not include users’ real names. But it did include information they had attached to their profile – which included age, ethnicity, gender, hometown, nickname, and membership of any particular Whisper groups. As The Washington Post points out, many Whisper groups are focused on sexual desires and fetishes.

That would be bad enough, and reason to be alarmed due to Whisper’s apparent lax security, but the database also included the location co-ordinates of users’ last submitted post – likely to point back to specific workplaces, military bases, neighbourhoods, and schools.

It’s easy to imagine how someone might be put in danger or blackmailed if their private thoughts or sexual orientation were linked to their true real-life identity.

Whisper, which was informed of the problem earlier this week, has since restricted access to the database, whilst disputing the seriousness of the data breach in a statement:

Lauren Jamar, a vice president of content and safety at Whisper’s parent company, MediaLab, said in a statement that the company strongly disputed their findings. The posts and their ties to locations, ages and other data, she said, represented “a consumer facing feature of the application which users can choose to share or not share.”

One concern is that the data was available to download in its entirety, compounding the risk to users – especially if it was combined with other sensitive data sets.

The researchers, however, said the fact that the unprotected intimate data was available for download en masse was particularly concerning — and warned of the potential for it to be combined with other sensitive data sets, putting users’ privacy at even greater risk.

And there certainly does appear to be plenty of sensitive information in the exposed data which, in the wrong hands, could be weaponised through extortion and threats.

For instance, almost 100,000 accounts were marked as banned for having solicited minors, and another field in the database gave users a “predator_probability” score (Some 9000 users had been given a score of 100%).

Researcher Dan Ehrlich described Whisper’s failure to keep the data private as “grossly negligent,” and I can’t help but agree.

Whisper’s dirty little secret was that for eight years it left this information exposed for anyone to access. And now it doesn’t appear to even be that sorry about it.

Researcher wins $55,000 for ‘Login with Facebook’ hack

Facebook’s
bug bounty program has yielded a hefty paycheck to a researcher from India who
discovered a serious security flaw in the platform.

In December, last year, Amol Baikar was tinkering with the “Login with Facebook” feature when he discovered that he could hijack the OAuth flow and steal a user’s access tokens.

All an attacker had to do was to send the victim a malicious link, which the unwary recipient would (theoretically) click. With the access tokens in hand, the attacker would be able to take over the user’s account.

Facebook
acknowledged the issue within a few hours of Baikar submitting the bug report.
On December 16, the social network silently pushed out a fix.

“I’m very
glad that I’m part of this responsible disclosure to Facebook and joyous to
achieve my goal successfully,” the researcher wrote on his blog.

“We’ve fixed
the issue and haven’t seen any evidence of abuse,” Facebook told SecurityWeek.
“We’re grateful for this researcher’s help to keep our platform safe.”

Spammers Use Coronavirus Message to Deploy Keylogger

Hackers are weaponizing the COVID-2019 coronavirus
disease, trying to trick people into downloading malware so attackers can steal
valuable information from victims’ computers.

Malware deployed through infected emails
and files is nothing new. Still, hackers need a hook to capture the attention
of potential victims, and what better way than to profit from pandemic to persuade
users to open infected files?

Security researchers observed the spread
of a file named “CoronaVirusSafetyMeasures_pdf,” most likely in the form of
email attachments, which is actually a RAT dropper (remote access trojan) that
acts as a keylogger, registering all key presses.

As normally happens with this kind of
malware, the attachment is rarely the endgame for the attacker, not to mention that
hackers don’t want to trigger endpoint protection. In this particular case,
it’s actually a dropper, which means that the file is just one step towards the
goal.

Opening the attachments starts the
download of an encrypted binary, which downloads two files, “filename1.vbs” and
“filename1.exe.” It writes into the Windows registry to ensure it survives a
reboot. At this point, it likely acts as a keylogger, registering users’ key presses
and storing them in a file. The data gathered by the malware is sent to a
command and control (C&C) server, at the address 66.154.98.108, a US
hosting provider that’s been around since 2012.

Exploiting newsworthy topics like the coronavirus
scare is a common method of spreading malware, making people are more likely to
open an email or attachment coming from unknown sources. Using a security
solution is recommended, but it’s also advisable not to open emails from
unknown senders, especially if it seems to have anything to do with the coronavirus
epidemic.

Data breach: U.S. retailer J.Crew reveals 2019 security incident to customers

J.Crew suffered a credential stuffing attack that may have compromised
the personal data of customers, the U.S. clothing retailer disclosed earlier
this week. Fraudulent activity was apparently noticed last spring, but the firm
did not reveal the number of compromised accounts on their website.

In a data breach notice sent to shoppers, the company states
that “through routine and proactive web scanning, we recently discovered
information related to your jcrew.com account. Based on our review, we believe
your email address (used as your jcrew.com username) and password were obtained
by an unauthorized party and in or around April 2019 used to log into your
jcrew.com account.”

It’s unclear why it took the company almost a year to notify
users, but studies show it takes an average of 197 days to
identify a data breach. Although the number of victims was not revealed, California
law obliges companies to send out security breach notices only if the incident
affected more than 500 residents. It’s is safe to assume the number of victims
falls above that, potentially by an order of magnitude.

On top of the compromised email addresses and passwords, the
threat actor could have accessed additional information stored on the account,
including the last four digits of credit card numbers, expiration dates, card
types, billing addresses, order number and shipping confirmation numbers, along
with order status. In attempt to minimize the damages, the company disabled the
accounts marked with suspicious activity, and asked users to reset their login
passwords.

Data breaches and data leaks often take a long time to discover.
Don’t rely solely on corporate notification emails – a company can’t notify you
of a data breach or security incident unless they know about it. As
with any such leak incident, you should start changing the password for all of
your accounts, and by no means should you recycle any old passwords just
because it’s easier for you to memorize. Should you find it difficult, you can
always use a passwords manager. Don’t forget to keep
your security solution up to date and monitor all your online accounts for
suspicious activity. It’s always a good idea to enable 2FA (two-factor
authentication) for all of your e-commerce and social media websites. If somebody
tries to access your account, you’ll be notified of any questionable activity so
you can take immediate action.

Over one billion Android devices at risk as they no longer receive security updates

Over one billion Android devices at risk as they no longer receive security updates

More than one billion Android devices are at risk of being hacked or infected by malware, because they are no longer supported by security updates and built-in protection.

That’s the conclusion of an investigation by Which?, which found that at-risk smartphones are still being sold by third-parties via sites like Amazon, despite the range of malware and other threats to which they are vulnerable.

The report cites data that Google collected itself in May 2019, which discovered that 42.1% of active Android users worldwide were running version 6.0 (known as Marshmallow) of the operating system or earlier.

The problem with that picture is that the current version of Android is version 10, released last September. Its immediate predecessors – Android 9.0 Pie and Android 8.0 Oreo – continue to receive updates, but earlier versions do not.

To demonstrate the problem, Which? purchased a Motorola X, Samsung Galaxy A5 2017 and Sony Xperia Z2 from Amazon Marketplace sellers and put them to the test alongside an LG/Google Nexus 5 and Samsung Galaxy S6 they already had in its test lab.

In tests conducted with experts at AV-Comparatives, it was found that the phones were susceptible to a variety of vulnerabilities made public long ago.

These included:

  • BlueFrag – a critical vulnerability in Android’s Bluetooth component that could allow a nearby malicious hacker to compromise a device in order to steal data and spread malware.
  • Stagefright – first discovered in 2015, hackers could exploit unpatched Android devices to to silently and remotely infect them with malware via a boobytrapped MMS message.
  • Joker (also also known as Bread) – malware that poses as a legitimate app in the Google Play store, but registers victims’ devices for premium-rate services and plunders devices’ address books.

Kate Bevan of Which? is calling on phone manufacturers to be more transparent about how long consumers can expect to have their devices supported with critical security updates:

“It’s very concerning that expensive Android devices have such a short shelf life before they lose security support – leaving millions of users at risk of serious consequences if they fall victim to hackers. Google and phone manufacturers need to be upfront about security updates – with clear information about how long they will last and what customers should do when they run out.”

The best thing to do, of course, is for Android users to run a more secure version of the operating system on their smartphones – one that is still receiving security patches.

But, if your older phone isn’t able to be updated, what steps should you take to better secure yourself?

Clearly, regular backups of important data are always a good idea. That’s sensible even if you aren’t worried about having your phone hacked, as a backup could save your bacon if you were to ever accidentally damage your phone or have it stolen.

But also be aware that the majority of malware threats for Android originate outside the official Google Play store. Be wary of side-loading apps from other sources as they may not have been as well vetted.

In addition, always be careful about clicking on suspicious-looking links or opening attachments in SMS or MMS messages if you are not expecting them.

You may also want to consider running a mobile anti-virus product on your device.

If smartphone security doesn’t improve, the only people who are going to smiling about the more than one billion vulnerable Android devices will be the criminals themselves.

Virgin Media Admits Failing to Secure Online Database with Info on 900,000 Customers

Virgin Media Admits Failing to Secure Online Database with Info on 900,000 Customers

Virgin Media admitted it left an unsecured database
online containing personal data for about 900,000 customers, including their
phone numbers, names, and physical addresses.

When people hear about data breaches, they usually
imagine hackers gaining access to secure systems, but that’s not always the
case. Sometimes, data breaches have a simpler cause — pure negligence. It
doesn’t always take a mastermind to access people’s private information,
especially when it can be found unsecured online.

“The database was used to manage information about our
existing and potential customers in relation to some of our marketing
activities,” says
Virgin Media. “This included: contact details (such as name, home and email
address and phone numbers), technical and product information, including any
requests you may have made to us using forms on our website. In a very small
number of cases, it included date of birth.”

Fortunately, the database held no financial information
or passwords. Even without it, though, a trove of verified, cross-referenced
data about customers can be very useful in the right hands and could fetch a
high price on the dark market.

The company also said the database was apparently accessed
only once, by an unauthorized user, but it’s difficult to ascertain more than
that. Such private data can be used in several criminal endeavors, with
phishing being the most likely. It’s important to know that Virgin Media will
never call or email people and ask them for banking details, and suspicious
emails should be reported to the company immediately.

The company has already contacted the people affected by
the data breach, so customers don’t have to do anything extra. To stay on the
safe side, people should change their passwords after data breaches anyway,
making sure to choose unique and powerful credentials.

 Multiple Elasticsearch
databases have been found exposed online in the past few months, and it looks
like Virgin Media is not the only one being cavalier with private data. In
2019, an Elasticsearch server containing personal information on 1.2 billion
people, scraped from various online sources, was found
unsecured, online, and with no apparent owner.

Two Las Vegas Casinos May Have Been Crippled by Ransomware Attacks

Two Las Vegas Casinos May Have Been Crippled by Ransomware Attacks

An apparent ransomware attack hit the
Four Queens Hotel and Casino and Binion’s Casino in Los Angeles, crippling their
ability to trade in anything other than cash and affecting some of the slot
machines.

A strange sight greeted customers of the
Four Queens Hotel and Casino and Binion’s Casino: rows upon rows of deserted
slot machines, which remained inactive for almost a week. A CBR report hints
at a ransomware attack, although the two casinos, both owned by TLC Casino
Enterprises, have yet to issue any statements.

 “Computer systems are down. Cash only,” were
among the messages to customers, along with “Out of order,” and “Out of
service.” An entire floor of inactive slot machines is clearly not an ideal
scenario for any casino.

The only statement came from The Nevada
State Game Control Board. “The board is aware of the incident, and we are
actively monitoring the situation. As this is an ongoing investigation, we have
no further comment.”

This is not the only incident to affect
the casino industry in Nevada. Just last month, MGM Resorts International
admitted to being hacked in 2019, leading to the leak of data of more than 10.6
million guests.

While hackers often go after easy
targets, such as healthcare providers, that are slower to upgrade their
software and hardware, any company can fall victim. It’s unclear what exactly
happened to the two casinos, but hackers can also exfiltrate data during
ransomware attacks, and the level of damage depends very much on the level of
preparedness of the infrastructure.

T-Mobile Suffers a Data Breach, Again

T-Mobile has begun notifying customers of
a security breach that might affect an undetermined number of them, possibly
revealing their names and addresses, phone numbers, account numbers, rate plans
and features, and billing information.

Wireless carriers are a prime target for
hackers because they hold large databases of customers and data that command a
high value on the black market. Even if no financial data is leaked, it’s still
a significant security issue.

The T-Mobile data breach exposed limited
data about customers, including real names and addresses, phone numbers,
account numbers, rate plans and billing information. There’s no indication of
leaked passwords or credit card and Social Security numbers, but that is still
valuable.

“Our Cybersecurity team recently
identified and shut down a malicious attack against our email vendor that led
to unauthorized access to certain T-Mobile employee email accounts, some of
which contained account information for T-Mobile customers and employees,” says
the company in a note
to customers. “An investigation was immediately commenced, with assistance from
leading cybersecurity forensics experts, to determine what happened and what information
was affected.”

For now, the stolen data has apparently yet
to be used in any nefarious ways, such as in fraud. Still, while the customers don’t
have to do anything special, T-Mobile is advising everyone to review their
account information and update their personal identification number
(PIN/passcode).

The telecom company is not offering any
other details about the hack, so there is no clue as to the culprit.
Unfortunately, this is not the first security incident for T-Mobile, as the
company suffered a similar incident in November 2019, when a breach exposed
data about pre-paid customers. Also, in 2018 a data breach compromised the private
data of 2.3
million customers

Posts navigation

1 2 3 4 5 6
Scroll to top