LocationSmart didn’t just sell mobile phone locations, it leaked them

What’s worse than companies selling the real-time locations of cell phones wholesale? Failing to take security precautions that prevent people from abusing the service. LocationSmart did both, as numerous sources indicated this week. The company is adjacent to a hack of Securus, a company in the lucrative business of prison inmate communication; LocationSmart was the partner that allowed the former to provide mobile device locations in real time to law enforcement and others. There are perfectly good reasons and methods for establishing customer location, but this isn’t one of them. Police and FBI and the like are supposed to go directly to carriers for this kind of information. But paperwork is such a hassle! If carriers let LocationSmart, a separate company, access that data, and LocationSmart sells it to someone else (Securus), and that someone else sells it to law enforcement, much less paperwork required! That’s what Securus told
Continue reading "LocationSmart didn’t just sell mobile phone locations, it leaked them"

Zuckerberg will meet with European parliament in private next week

Who says privacy is dead? Facebook’s founder Mark Zuckerberg has agreed to take European parliamentarians’ questions about how his platform impacts the privacy of hundreds of millions of European citizens — but only behind closed doors. Where no one except a handful of carefully chosen MEPs will bear witness to what’s said. The private meeting will take place on May 22 at 17.45CET in Brussels. After which the president of the European Parliament, Antonio Tajani, will hold a press conference to furnish the media with his version of events. It’s just a shame that journalists are being blocked from being able to report on what actually goes on in the room. And that members of the public won’t be able to form their own opinions about how Facebook’s founder responds to pressing questions about what Zuckerberg’s platform is doing to their privacy and their fundamental rights. Because the doors
⤵
Continue reading "Zuckerberg will meet with European parliament in private next week"

Auth0 snags $55M Series D, seeks international expansion

Auth0, a startup based in Seattle, has been helping developers with a set of APIs to build authentication into their applications for the last five years. It’s raised a fair bit of money along the way to help extend that mission, and today the company announced a $55 million Series D. This round was led by led by Sapphire Ventures with help from World Innovation Lab, and existing investors Bessemer Venture Partners, Trinity Ventures, Meritech Capital and K9 Ventures. Today’s investment brings the total raised to $110 million. The company did not want to share its valuation. CEO Eugenio Pace said the investment should help them expand further internationally. In fact, one of the investors, World Innovation Lab, is based in Japan and should help with their presence there. “Japan is an important market for us and they should help explain to us how the market works there,” he
Continue reading "Auth0 snags $55M Series D, seeks international expansion"

Kaspersky to move some core infrastructure out of Russia to fight for trust

Russian cybersecurity software maker Kaspersky Labs has announced it will be moving core infrastructure processes to Zurich, Switzerland, as part of a shift announced last year to try to win back customer trust. It also said it’s arranging for the process to be independently supervised by a Switzerland-based third party qualified to conduct technical software reviews. “By the end of 2019, Kaspersky Lab will have established a data center in Zurich and in this facility will store and process all information for users in Europe, North America, Singapore, Australia, Japan and South Korea, with more countries to follow,” it writes in a press release. “Kaspersky Lab will relocate to Zurich its ‘software build conveyer’ — a set of programming tools used to assemble ready to use software out of source code. Before the end of 2018, Kaspersky Lab products and threat detection rule databases (AV databases) will start to be
Continue reading "Kaspersky to move some core infrastructure out of Russia to fight for trust"

Anyone could download Cambridge researchers’ 4-million-user Facebook dataset for years

A dataset of over 3 million Facebook users and a variety of their personal details collected by Cambridge researchers was available for anyone to download for some four years, New Scientist reports. It’s likely only one of many places where such huge sets of personal data collected during a period of permissive Facebook access terms have been obtainable. The data were collected as part of a personality test, myPersonality, which according to its own wiki (now taken down) was operational from 2007 to 2012, but new data was added as late as August of 2016. It started as a side project by the Cambridge Psychometrics Centre’s David Stillwell (now deputy director there), but graduated to a more organized research effort later. The project “has close academic links,” the site explains, “however, it is a standalone business.” (Presumably for liability purposes; the group never charged for access to the data.
Continue reading "Anyone could download Cambridge researchers’ 4-million-user Facebook dataset for years"

Xage introduces fingerprinting to protect industrial IoT devices

As old-school industries like oil and gas increasingly network entities like oil platforms, they become more vulnerable to hacking attacks that were impossible when they were stand-alone. That requires a new approach to security and Xage (prounounced Zage), a security startup that launched last year thinks it has the answer with a concept called ‘fingerprinting’ combined with the blockchain. “Each individual fingerprint tries to reflect as much information as possible about a device or controller,” Duncan Greenwood, Xage’s CEO explained. They do this by storing configuration data from each device and controller on the network. That includes the hardware type, the software that’s installed on it, the CPU ID, the storage ID and so forth. If someone were try to inject malware into one of these controllers, the fingerprint identification would notice a change and shut it down until human technicians could figure out if it’s a legitimate change or
Continue reading "Xage introduces fingerprinting to protect industrial IoT devices"

Researchers warn of critical flaw affecting PGP and S/MIME

Those who use PGP and S/MIME to send secure emails are being advised to cease using and disable the tools with immediate effect following a major security scare. Researcher Sebastian Schinzel, a professor of computer security with Münster University of Applied Sciences, claims to have identified a security flaw that “might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.” One of eight researchers from three European universities working on identifying the issue, he added that there is no fix right now. The research itself is scheduled to be released in full at 7:00 am UTC on Tuesday, but for now Schinzel is spreading word on Twitter while the EFF has also posted a warning after apparently seeing the findings in full. “Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the
Continue reading "Researchers warn of critical flaw affecting PGP and S/MIME"

Ring’s doorbell cam allowed video access after its password was changed

This is likely to be a bit of a black eye from Amazon, as the company looks to bolster its presence in the home security space. The Information reports that, until earlier this year, a security loophole allowed users to continue to view a feed from Ring’s doorbell camera even after its password was changed.

Ring, which was purchased by Amazon for $1 billion earlier this year, acknowledged that it patched the issue in January. The update arrived after a Miami man told the company that his ex had continued to watch the feed, after he had updated the password. Even so, the update doesn’t occur immediately, CEO Jamie Siminoff acknowledged, adding that kicking users off immediately would slow down the app, according to the site.

Ring was a centerpiece of a number of recent acquisitions for Amazon, allowing the company to expend delivery directly into customers’ homes and serving

Continue reading "Ring’s doorbell cam allowed video access after its password was changed"

Signal for Mac users should disable notifications to keep their messages secure

If you’re using Signal for secure messaging, here’s something to be aware of. The app is one of the best-regarded encrypted messaging tools out there, but Mac owners who use Signal might inadvertently be putting their privacy at risk. As Motherboard reports, security researcher Alec Muffett discovered that Signal messages sent to a Mac can persist in the notifications center, even if you have the app’s settings tuned to delete them.

That fact suggests that otherwise private messages live on in the operating system, which is something other researchers are looking into at the moment.

Cryptojacking malware was secretly mining Monero on many government and university websites

A new report published by security researched Troy Mursch details how the cryptocurrency mining code known as Coinhive is creeping onto unsuspecting sites around the web. Mursch recently detected the Coinhive code running on nearly 400 websites, including ones belonging to the San Diego Zoo, Lenovo and another for the National Labor Relations Board. The full list is available here. Notably, the list names a number of official government and education websites, including the Office of the Inspector General Equal Employment Opportunity Commission (EEOC) and sites for the University of Aleppo and the UCLA Atmospheric and Oceanic Sciences program. Most of the affected sites are hosted by Amazon and are located in the United States and Mursch believes that they were compromised through an outdated version of Drupal:
“Digging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method. The
Continue reading "Cryptojacking malware was secretly mining Monero on many government and university websites"

iOS will soon disable USB connection if left locked for a week

In a move seemingly designed specifically to frustrate law enforcement, Apple is adding a security feature to iOS that totally disables data being sent over USB if the device isn’t unlocked for a period of 7 days. This spoils many methods for exploiting that connection to coax information out of the device without the user’s consent. The feature, called USB Restricted Mode, was first noticed by Elcomsoft researchers looking through the iOS 11.4 code. It disables USB data (it will still charge) if the phone is left locked for a week, re-enabling it if it’s unlocked normally. Normally when an iPhone is plugged into another device, whether it’s the owner’s computer or another, there is an interchange of data where the phone and computer figure out if they recognize each other, if they’re authorized to send or back up data, and so on. This connection can be taken advantage
Continue reading "iOS will soon disable USB connection if left locked for a week"

Twitter has an unlaunched “Secret” encrypted messages feature

Buried inside Twitter’s Android app is a “Secret conversation” option that if launched would allow users to send encrypted direct messages. The feature could make Twitter a better a home for sensitive communications that often end up on encrypted messaging apps like Signal, Telegram, or WhatsApp. The encyrpted DMs option was first spotted inside the Twitter for Android application package (APK) by Jane Manchun Wong. APKs often contain code for unlaunched features that companies are quietly testing or will soon make available. A Twitter spokesperson declined to comment on the record. It’s unclear how long it might be before Twitter officially launches the feature, but at least we know it’s been built. The appearance of encrypted DMs comes 18 months after whistleblower Edward Snowden asked Twitter CEO Jack Dorsey for the feature, which Dorsey said was “reasonable and something we’ll think about”. Twitter has gone from “thinking about” the feature
Continue reading "Twitter has an unlaunched “Secret” encrypted messages feature"

UK watchdog orders Cambridge Analytica to give up data in US voter test case

Another big development in the personal data misuse saga attached to the controversial Trump campaign-linked UK-based political consultancy, Cambridge Analytica — which could lead to fresh light being shed on how the company and its multiple affiliates acquired and processed US citizens’ personal data to build profiles on millions of voters for political targeting purposes. The UK’s data watchdog, the ICO, has today announced that it’s served an enforcement notice on Cambridge Analytica affiliate SCL Elections, under the UK’s 1998 Data Protection Act. The company has been ordered to give up all the data it holds on one US academic within 30 days — with the ICO warning that: “Failure to do so is a criminal offence, punishable in the courts by an unlimited fine.” The notice follows a subject access request (SAR) filed in January last year by US-based academic, David Carroll after he became suspicious about how
Continue reading "UK watchdog orders Cambridge Analytica to give up data in US voter test case"

A cyberattack knocked a Tennessee county’s election website offline during voting

After a distributed denial-of-service attack knocked some servers offline during a local election in Tennessee this week, Knox County is working with an outside security contractor to investigate the cause. The attack took the Knox County Election Commission site displaying results of the county mayoral primary offline during Tuesday night voting. The county resorted to distributing printed results during the outage. “Tonight, Our web servers suffered a successful denial of service attack,” Knox County wrote on Twitter on Tuesday night. “Election results were not affected, as our election machines are never connected to the Internet.” The day after the incident, Knox County Mayor Tim Burchett reassured voters that the attack did not compromise the vote. Election systems that can go online are far less secure than systems that are not able to connect to the internet. “Although the crash did not affect the vote tallies or the integrity of
Continue reading "A cyberattack knocked a Tennessee county’s election website offline during voting"

Flaw in global energy facility software shows critical infrastructure risks

Critical infrastructure worries in the U.S. and abroad are far from over. This week, security firm Tenable published research demonstrating a vulnerability affecting two software programs used by global energy management company Schneider Electric. The company’s systems are in place in facilities across North America, Western Europe and Asia. Before publishing its research, Tenable notified Schneider Electric, allowing the company to patch its software vulnerabilities in early April while issuing guidance for affected plants to update their systems. “There’s no doubt the discovery of this severe vulnerability comes at a time when critical infrastructure security is top-of-mind for organizations and government agencies everywhere,” Tenable Chief Product Officer Dave Cole said in a statement. Cole noted that this vulnerability exists at the relatively new intersection of IT and operational technology. Tenable describes the flaw, present in InduSoft Web Studio and InTouch Machine Edition, as a remote code execution vulnerability
Continue reading "Flaw in global energy facility software shows critical infrastructure risks"

You should change your Twitter password right now

Yes, it’s that time again — password changing time. On Thursday, Twitter revealed that a bug caused the platform to store user passwords in unmasked form. Normally, sensitive personal data like passwords would be stored in hashed form using a mix of letters and numbers to protect the content of the password itself. In this instance, it sounds like Twitter stored plain text passwords openly without any hashing on an internal log.

Twitter notes that it currently has “no reason to believe password information ever left Twitter’s system” or that these unprotected passwords were accessed by hackers, but

Continue reading "You should change your Twitter password right now"

Google’s Advanced Protection program now allows access from Apple’s mobile apps, too

Last October, Google launched its Advanced Protection Program for users who want to ensure the highest degree of protection for the data they store in services Gmail, Google Calendar and Drive. Users who need that kind of protection can opt into this program, but in return, they have to use security keys for the 2-step verification and can only access their Google data from Google’s own web and mobile apps. Today, Google is opening up this last restriction a bit by opening up access through Apple’s own native iOS apps like Mail, Calendar and Contacts apps. Users in the Advanced Protection program can now choose to give those apps access to their data, too. When they sign in “Our goal is to make sure that any user-facing an increased risk of online attacks enrolls in the Advanced Protection Program,” Dario Salice, Google’s product manager for this services, writes. “Today, we’ve
Continue reading "Google’s Advanced Protection program now allows access from Apple’s mobile apps, too"

Columbus Collaboratory’s Jeff Schmidt talks about the future of security

In this episode of Technotopia I talk to Jeff Schmidt of the Columbus Collaboratory. He is well-versed in the future of security and our conversation ranged from the rise of the midwest to the future of cyberattacks. The Columbus Collaboratory is a unique think tank dedicated to building security and system solutions for major clients. It’s a sort of Delta Force for major corporations headquartered in Columbus, and Schmidt has a lot to say about the value of a good security plan. Technotopia is a podcast by John Biggs about a better future. You can subscribe in Stitcher, RSS or iTunes and listen the MP3 here.

Signal could get kicked out of Amazon Web Services

Encrypted messaging service Signal received a curious email from Amazon Web Services. The representative at Amazon is saying that Signal is violating the terms of service by using domain fronting to avoid censorship. Signal isn’t necessarily the most popular messaging app. But chances are you’ve been using Signal technologies in the past. The organization behind it has partnered with WhatsApp to develop the end-to-end encryption protocol used in WhatsApp. While this is a great improvement over unencrypted communications, WhatsApp is blocked in China and owned by Facebook. And Facebook leverages WhatsApp user data in most of the world for its other services. So Facebook knows your address book, the timestamps and recipients of all your messages — Facebook just can’t read the content of your messages. That’s why Open Whisper Systems, the organization behind Signal, is also developing its own messaging app and service. It’s available on iOS, Android and
Continue reading "Signal could get kicked out of Amazon Web Services"