First American site bug exposed 885 million sensitive title insurance records


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




News just in from security reporter Brian Krebs: Fortune 500 real estate insurance giant First American exposed approximately 885 million sensitive records because of a bug in its website.

Krebs reported that the company’s website was storing and exposing bank account numbers, statements, mortgage and tax records, Social Security numbers and driving license images in a sequential format — so anyone who knew a valid web address for a document simply had to change the address by one digit to view other documents, he said.

There was no authentication required — such as a password or other checks — to prevent access to other documents.

According to Krebs’ report, the earliest document was labeled “000000075” — with newer documents increasing in numerical order, he said.

The data goes back at least to 2003, said Krebs.

“Many of the exposed files are records of wire transactions with bank account numbers

Continue reading “First American site bug exposed 885 million sensitive title insurance records”

WikiLeaks’ Assange charged under the Espionage Act in a ‘major test case’ for press freedom


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Julian Assange, founder of whistleblowing site WikiLeaks, has been charged with over a dozen additional charges by U.S. federal prosecutors, including under the controversial Espionage Act — a case that will likely test the rights of freedom of speech and expression under the First Amendment.

Assange, 47, was arrested at the Ecuadorean embassy in London in April after the U.S. government charged him with conspiracy to hack a government computer used by then army officer Chelsea Manning to leak classified information about the Iraq War. Ecuador withdrew his asylum request seven years after he first entered the embassy in 2012 to avoid extradition to Sweden to face unrelated allegations of rape and sexual assault. Assange was later jailed in the U.K. for a year for breaking bail while he was in the embassy.

According to the newly unsealed indictment, Assange faces 17 new charges — including

Continue reading “WikiLeaks’ Assange charged under the Espionage Act in a ‘major test case’ for press freedom”

Hunters.ai raises $4.5M for its autonomous threat hunting solution


This post is by Frederic Lardinois from TechCrunch


Click here to view on the original site: Original Post




Hunters.ai, a Tel Aviv-based startup that built an AI-based threat hunting solution, today announced that it has raised a $5.4 million seed funding round led by YL Ventures and Blumberg Capital.

Threat hunting has traditionally been a rather manual practice, where analysts try to actively identify potential threats to their systems. This has always been a very data-driven activity, though, so it’s no surprise that a number of startups are now looking to automate the process. Not all attacks are as easy to spot as an attacker who is trying to brute force a password, for example. Sometimes, a sophisticated attacker may have the credentials to get into a network, for example. It’s then up to the hunter and hunting tools to recognize that there is unusual activity, because, in the end, these attackers always leave a few breadcrumbs in their wake.

The Hunters team tells me

Continue reading “Hunters.ai raises $4.5M for its autonomous threat hunting solution”

A cryptocurrency stealing app found on Google Play was downloaded over a thousand times


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Researchers have found two apps masquerading as cryptocurrency apps on Android’s app store, Google Play.

One of them was largely a dud. The second was designed to steal cryptocurrency, the researchers said.

Security firm ESET said one of the two fake Android apps impersonated Trezor, a hardware cryptocurrency wallet. The good news is that app couldn’t be used to steal cryptocurrency stored by Trezor. But the researchers found the app was connected to a second Android app which could have been used to scam funds out of unsuspecting victims.

Lukas Stefanko, a security researcher at ESET — who has a long history of finding dodgy Android apps — said the fake Trezor app “appeared trustworthy at first glance” but was using a fake developer name to impersonate the company.

The fake app was designed to trick users into turning over a victim’s login credentials. Uploaded to Google Play on May

Continue reading “A cryptocurrency stealing app found on Google Play was downloaded over a thousand times”

Spotify resets some account passwords citing ‘suspicious activity’


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Music streaming giant Spotify has notified an unspecified number of users that the company has reset their account password, but has left dozens of users asking why.

In an email, some Spotify users were told their password was reset “due to detected suspicious activity,” but gave no further details.

When reached, Spotify spokesperson Peter Collins said: “As part of our ongoing maintenance efforts to combat fraudulent activity on our service, we recently shared a communication with select users to reset their

Continue reading “Spotify resets some account passwords citing ‘suspicious activity’”

Amazon shareholders reject facial recognition sale ban to governments


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Amazon shareholders have rejected two proposals that would have requested the company not to sell its facial recognition technology to government customers.

The breakdown of the votes is not immediately known. A filing with the vote tally is expected later this week.

The first proposal would have requested Amazon to limit the sale of its Rekognition technology to police, law enforcement and federal agencies. A second resolution would have demanded an independent human and civil rights review into the use of the technology.

It followed accusations that the technology has bias and inaccuracies, which critics say can be used to racially discriminate against minorities.

The votes were non-binding, allowing the company to reject the outcome of the vote.

But the vote was almost inevitably set to fail. Following his divorce, Amazon founder and chief executive Jeff Bezos retains 12 percent of the company’s stock as well as the voting rights

Continue reading “Amazon shareholders reject facial recognition sale ban to governments”

DuckDuckGo founder Gabriel Weinberg is coming to Disrupt


This post is by Natasha Lomas from TechCrunch


Click here to view on the original site: Original Post




2019 is the year Facebook announced a ‘pivot to privacy’. At the same time, Google is trying to claim that privacy means letting it exclusively store and data-mine everything you do online. So what better time to sit down at Disrupt for a chat about what privacy really means with DuckDuckGo founder and CEO Gabriel Weinberg?

We’re delighted to announce that Weinberg is joining us at Disrupt SF (October 2-4).

The pro-privacy search engine he founded has been on a mission to shrink the shoulder-surfing creepiness of Internet searching for more than a decade, serving contextual keyword-based ads, rather than pervasively tracking users to maintain privacy-hostile profiles. (If you can’t quite believe the decade bit; here’s DDG’s startup Elevator Pitch — which we featured on TC all the way back in 2008.)

It’s a position that looks increasingly smart as big tech comes under sharper political and regulatory scrutiny

Continue reading “DuckDuckGo founder Gabriel Weinberg is coming to Disrupt”

Thousands of vulnerable TP-Link routers at risk of remote hijack


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Thousands of TP-Link routers are vulnerable to a bug that can be used to remotely take control of the device, but it took more than a year for the company to publish the patches on its website.

The vulnerability allows any low-skilled attacker to remotely gain full access to an affected router. The exploit relies on the router’s default password to work, which many don’t change.

In the worst-case scenario, an attacker could target vulnerable devices on a massive scale, using a similar mechanism to how botnets like Mirai worked — by scouring the web and hijacking routers using default passwords like “admin” and “pass.”

Andrew Mabbitt, founder of U.K. cybersecurity firm Fidus Information Security, first discovered and disclosed the remote code execution bug to TP-Link in October 2017. TP-Link released a patch a few weeks later for the vulnerable WR940N router, but Mabbitt warned TP-Link again in

Continue reading “Thousands of vulnerable TP-Link routers at risk of remote hijack”

Google says some G Suite user passwords were stored in plaintext since 2005


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.

The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.

Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.

Google has since removed the feature.

No

Continue reading “Google says some G Suite user passwords were stored in plaintext since 2005”

Daily Crunch: Instagram influencer contact info exposed


This post is by Anthony Ha from TechCrunch


Click here to view on the original site: Original Post




The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

1. Millions of Instagram influencers had their private contact data scraped and exposed

A massive database containing contact information for millions of Instagram influencers, celebrities and brand accounts was found online by a security researcher.

We traced the database back to Mumbai-based social media marketing firm Chtrbox. Shortly after we reached out, Chtrbox pulled the database offline.

2. US mitigates Huawei ban by offering temporary reprieve

Last week, the Trump administration effectively banned Huawei from importing U.S. technology, a decision that forced several American companies, including Google, to take steps to sever their relationships. Now, the Department of Commerce has announced that Huawei will receive a “90-day temporary general license” to continue to use U.S.

Continue reading “Daily Crunch: Instagram influencer contact info exposed”

Facebook still a great place to amplify pre-election junk news, EU study finds


This post is by Natasha Lomas from TechCrunch


Click here to view on the original site: Original Post




A study carried out by academics at Oxford University to investigate how junk news is being shared on social media in Europe ahead of regional elections this month has found individual stories shared on Facebook’s platform can still hugely outperform the most important and professionally produced news stories, drawing as much as 4x the volume of Facebook shares, likes, and comments.

The study, conducted for the Oxford Internet Institute’s (OII) Computational Propaganda Project, is intended to respond to widespread concern about the spread of online political disinformation on EU elections which take place later this month, by examining pre-election chatter on Facebook and Twitter in English, French, German, Italian, Polish, Spanish, and Swedish.

Junk news in this context refers to content produced by known sources of political misinformation — aka outlets that are systematically producing and spreading “ideologically extreme, misleading, and factually incorrect information” — with the researchers comparing

Continue reading “Facebook still a great place to amplify pre-election junk news, EU study finds”

Millions of Instagram influencers had their private contact data scraped and exposed


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online.

The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by the hour.

From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country, but also contained their private contact information, such as the Instagram account owner’s email address and phone number.

Security researcher Anurag Sen discovered the database and alerted TechCrunch in an effort to find the owner and get the database secured. We traced the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers

Continue reading “Millions of Instagram influencers had their private contact data scraped and exposed”

Amazon under greater shareholder pressure to limit sale of facial recognition tech to the government


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




This week could mark a significant setback for Amazon’s facial recognition business if privacy and civil liberties advocates — and some shareholders — get their way.

Months earlier, shareholders tabled a resolution to limit the sale to law enforcement and government agencies Amazon’s facial recognition tech, called Rekognition. It followed accusations of bias and inaccuracies with the technology, which they say can be used to racially discriminate against minorities. Rekognition, which runs image and video analysis of faces, has been sold to two states so far, and Amazon has pitched Immigration and Customs Enforcement. A second resolution will require an independent human and civil rights review of the technology.

Now the ACLU is backing the measures and calling on shareholders to pass the resolutions.

“Amazon has stayed the course,” said Shankar Narayan, director of the Technology and Liberty Project at the ACLU Washington, in a call Friday. “Amazon has heard

Continue reading “Amazon under greater shareholder pressure to limit sale of facial recognition tech to the government”

Google’s own data proves two-factor is the best defense against most account hacks


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Every once in a while someone will ask me what is the best security advice.

The long answer is “it depends on your threat model,” which is just a fancy way of saying what’s good security advice for the vast majority isn’t necessarily what nuclear scientists and government spies require.

My short answer is, “turn on two-factor.” Yet, nobody believes me.

Ask almost any cybersecurity professional and it’ll likely rank as more important than using unique or strong passwords. Two-factor, which adds an additional step in your usual log-in process by sending a unique code to a device you own, is the greatest defense between a hacker and your online account data.

But don’t take my word for it. Google data out this week shows how valuable even the weakest, simplest form of two-factor can be against attacks.

The research, with help from New York University and the University

Continue reading “Google’s own data proves two-factor is the best defense against most account hacks”

‘Crypto exchange’ Goxtrade caught using other people’s photos on its staff page


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Alleged cryptocurrency exchange Goxtrade bills itself as a “trusted platform for trading bitcoins,” but its staff page is filled with photos of people of pulled seemingly at random from the internet.

The alleged exchange, which claimed to debut in 2017 yet its website is only a little more than a week old, used photos taken from social media profiles and other company websites not associated with the company.

Bizarrely, the alleged exchange didn’t bother to change all of the names of the people whose photos it used.

Amber Baldet, co-founder of Clovyr, a prominent figure in the blockchain community, and listed in Fortune’s ’40 Under 40′, was one of the people whose name and photos appeared on the site.

“Fraud alert: I am not a developer at Goxtrade and probably their entire business is a lie,” she tweeted Friday.

After breach, Stack Overflow says some user data exposed


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




After disclosing a breach earlier this week, Stack Overflow has confirmed some user data was accessed.

In case you missed it, the developer knowledge sharing site confirmed Thursday a breach of its systems last weekend, resulting in unauthorized access to production systems — the front-facing servers that actively powers the site. The company gave few details, except that customer data was unaffected by the breach.

Now the company said the intrusion on the website began about a week earlier and “a very small number” of users had some data exposed.

“The intrusion originated on May 5 when a build deployed to the development tier for stackoverflow.com contained a bug, which allowed an attacker to log in to our development tier as well as escalate their access on the production version of stackoverflow.com,” said Mary Ferguson, vice president of engineering.

“This change was quickly identified and we revoked their

Continue reading “After breach, Stack Overflow says some user data exposed”

Stack Overflow confirms breach, but customer data said to be unaffected


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Developer knowledge sharing site Stack Overflow has confirmed hackers breached its systems, but said customer data is unaffected.

“Over the weekend, there was an attack on Stack Overflow,” wrote Mary Ferguson, vice president of engineering. “We have confirmed that some level of production access was gained on May 11.”

“We discovered and investigated the extent of the access and are addressing all known vulnerabilities,” said Ferguson. “We have not identified any breach of customer or user data,” she said.

An investigation into the breach is ongoing.

The company otherwise remained tightlipped about the breach, its cause, and the effect. We’ve sent several questions to the company but did not immediately hear back.

Stack Overflow has more than 50 million developer members who use the site to share code and knowledge. It remains one of the top 50 most popular sites on the web, according to rankings by internet analytics

Continue reading “Stack Overflow confirms breach, but customer data said to be unaffected”

Europol, DOJ announce the takedown of the GozNym banking malware


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Europol and the U.S. Justice Department, with the help from six other countries, have disrupted and dismantled the GozNym malware, which they say stole more than $100 million from bank accounts since it first emerged.

In a press conference in The Hague, prosecutors said 10 defendants in five countries are accused of using the malware to steal money from more than 41,000 victims, mostly businesses and financial institutions.

Five defendants were arrested in Moldova, Bulgaria, Ukraine and Russia. The leader of the criminal network and his technical assistant are being prosecuted in Georgia.

The remaining five defendants, all Russian nationals, remain on the run, said prosecutors.

All were charged with conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud, and and conspiracy to commit money laundering. An eleventh member of the conspiracy, Krasimir Nikolov, was previously charged and extradited to the U.S. in 2016

Continue reading “Europol, DOJ announce the takedown of the GozNym banking malware”

Egnyte brings native G Suite file support to its platform


This post is by Ron Miller from TechCrunch


Click here to view on the original site: Original Post




Egnyte announced today that customers can now store G Suite files inside its storage, security and governance platform. This builds on the support the company previously had for Office 365 documents.

Egnyte CEO and co-founder Vineet Jain says that while many enterprise customers have seen the value of a collaborative office suite like G Suite, they might have stayed away because of compliance concerns (whether that was warranted or not).

He said that Google has been working on an API for some time that allows companies like Egnyte to decouple G Suite documents from Google Drive. Previously, if you wanted to use G Suite, you no choice but to store the documents in Google Drive.

Jain acknowledges that the actual integration is pretty much the same as his competitors because Google determined the features. In fact, Box and Dropbox announced similar capabilities over the last year, but he believes his

Egnyte storage and compliance platform

Continue reading “Egnyte brings native G Suite file support to its platform”

CrowdStrike, a cybersecurity unicorn, files to go public


This post is by Kate Clark from TechCrunch


Click here to view on the original site: Original Post




If you thought Uber’s disastrous initial public offering last week would deter fellow venture-backed technology companies from pursuing the public markets in 2019, you thought wrong.

Crowdstrike, yet another multi-billion-dollar Silicon Valley ‘unicorn’ has filed to go public. The cloud-based cybersecurity platform valued at $3.3 billion in 2018 revealed its IPO prospectus Tuesday afternoon.

The company plans to trade on the Nasdaq under the ticker symbol “CRWD.” According to the filing, it intends to raise $100 million, through that figure is typically a placeholder amount. To date, Crowdstrike has raised $480 million in venture capital funding from Warburg Pincus, which owns a 30.3 percent pre-IPO stake, Accel (20.3 percent) and CapitalG (11.2 percent).

As we’ve come to expect with these things, Crowdstrike’s financials are a bit concerning for an IPO-ready business. While its revenues are growing at an impressive rate from $53 million in

Continue reading “CrowdStrike, a cybersecurity unicorn, files to go public”