|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
A good write up by @zackwhittaker:
Active attacks and exploits against smart TVs are rare, but not unheard of. Because every smart TV comes with their manufacturer’s own software and are at the mercy of their often unreliable and irregular security patching schedule, some devices are more vulnerable than others.
Vistaprint left a customer service database unprotected, exposing calls, chats and emails
By Zack Whittaker | November 26, 2019
A security researcher has found an exposed database on the internet belonging to online printing giant Vistaprint.
…
There was no password on the database, allowing anyone to access the data inside.
…
Vistaprint, owned by Netherlands-based parent Cimpress, quietly took the database offline after TechCrunch reached out but did not comment by our deadline. Robert Crosland, a spokesperson for Vistaprint, said in a statement after we published that the exposure affected customers in the U.S., the U.K. and Ireland.
…
The company said it will inform customers of the exposure — many of whom are protected under the strict GDPR data protection rules.
…
The data also contained some account information, including work email addresses and some phone numbers belonging to Vistaprint customer service staff.
…
It’s the latest example of a security lapse involving lax internal data controls. This year alone, several data exposures have put millions of customers at risk…
Read the full article here
Twitter thread between @zachwhittaker, who wrote this TechCrunch article on the issue, and @campuscodi:
https://twitter.com/zackwhittaker/status/1194316110864297986?s=20
https://twitter.com/campuscodi/status/1194316514377240577?s=20
One workaround is to simply revoke camera and microphone access to the Facebook app in their iOS settings.
A fiery condemnation from Zack Whittaker at TechCrunch: A security researcher warned Asus two months ago that employees were improperly publishing pas
[See the full post at: TechCrunch: ASUS was warned of hacking risks months ago, but did nothing about it]
ClassPass, Gfycat, StreetEasy hit in latest round of mass site hacks
By Zack Whittaker | February 16th, 2019
In just a week, a single seller put close to 750 million records from 24 hacked sites up for sale. Now, the hacker has struck again.
The hacker, whose identity isn’t known, began listing user data from several major websites — including MyFitnessPal, 500px and Coffee Meets Bagel, and more recently Houzz and Roll20 — earlier this week. This weekend, the hacker added their third round of data breaches — another eight sites, amounting to another 91 million user records — on their dark web marketplace.
…
From the samples that TechCrunch has seen, the accounts include some variations of usernames and email addresses, names, locations by country and region, account creation dates, passwords hashed in various formats, and other account information.
…
To date, the hacker has revealed breaches at 30 companies, totaling some 841 million records.
Little is known about the hacker, and it remains unclear exactly how these sites were hacked.
Read the full article here
Many of you will be familiar with Zack Whittaker’s work. Zack is now TechCrunch’s Security Editor, and was formerly the same at zdnet.com until a few
[See the full post at: “this week in security” newsletter]
Yahoo still scans your emails for ads — even if its rivals won’t
By Zack Whittaker | August 28, 2018
You’re not the only one reading your emails.
A deep dive in The Wall Street Journal on Tuesday dug out new details on a massive email scanning operation by Oath, the Verizon-owned subsidiary that’s the combined business of AOL and Yahoo. The email scanning program analyzes over 200 million AOL and Yahoo inboxes for data that can be sold to advertisers. (Disclosure: TechCrunch is owned by Verizon by way of Oath.)
The logic goes that by learning about its users, the internet giant can hone its ad targeting effort to display the most relevant ads.
But where other major email providers have bailed from email scanning amid privacy scandals and security issues, Oath remains the outlier.
Google … still uses machine learning to help you reply to emails.
It should go without saying, email isn’t the most sensitive or secure communications medium, and inboxes should never be assumed to be private — not least from law enforcement and the companies themselves.
Read the full article here
Update from Zack Whittacker:
Update from Equifax PR just landed in the inbox. pic.twitter.com/EPVSwqJLWZ
— Zack Whittaker (@zackwhittaker) 8 September 2017
Linked PR graphic shows “You can determine your status immediately” & “No waiver of rights for this cyber security incident”.
Zack Whittacker, Security Editor at zdnet.com, has tweeted a Public Service Announcement (#PSA) on the Equifax check website (which I haven’t successfully located in checking):
PSA: If you check Equifax's site to see if your data was stolen, you *waive your rights* to sue Equifax or be part of a class action suit. pic.twitter.com/p4AlmmLQ3r
— Zack Whittaker (@zackwhittaker) 8 September 2017
Microsoft says ‘no known ransomware’ runs on Windows 10 S — so we tried to hack it By Zack Whittaker | June 24, 2017 We enlisted a leading security r
[See the full post at: ZDNet: Windows 10 S, the safest Windows yet, can be hacked]
Zdnet.com filed a Freedom of Information request for the browsing history of the FCC chairman, who voted to approve ISPs selling browsing history, but was not provided the requested information.
In other words, Pai voted to allow internet providers to turn over your browsing history, but won’t let anyone see his.
Zac Whittaker’s article is an interesting read:
http://www.zdnet.com/article/fcc-chairman-browsing-history-freedom-of-information/
Two-factor security is so broken, now hackers can drain bank accounts
Criminals have exploited a known flaw in how calls and text messages travel around the world to redirect a two-factor code for a person’s bank account.
By Zack Whittaker for Zero Day | May 4, 2017
We’ve known for years that a key protocol that allows global cellular networks to communicate with each other had vulnerabilities — and nobody really took it that seriously.
Hackers and politicians alike have been warning for years that these flaws in the calling and text message routing system, known as Signaling System 7 (SS7), can be used to intercept and redirect calls and text messages, allowing hackers to eavesdrop on almost any phone in the world.
Now, financially driven hackers are using the weakness to intercept text messages that deliver two-factor codes to bank customers to break in and empty their bank accounts, according to a report in a German newspaper.
It’s likely the first known account of the SS7 vulnerability being exploited in the wild by a malicious actor, rather than for demonstrative purposes.
…
“Both the Federal Communications Commission and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number,” he added, before urging Congress to hold “immediate hearings” on the matter.
Just last year, the National Institute of Standards and Technology (NIST) said that it would deprecate its advice — albeit, not entirely advise against — for text message-based authentication, because it wasn’t as secure as other forms of two-factor authentication — such as apps, like Google Authenticator and Authy, which use end-to-end encryption to send two-factor codes.
Read the full article here
Further articles on this issue:
Hackers are stealing money from Bank accounts in Germany by exploiting flaws in #SS7 protocol
On SecurityAffairs.co
Is your money safe? Bank hack could affect MILLIONS of customers around the world by intercepting two-step login verification codes
On DailyMail.co.uk
Phone Hack Drains German Bank Accounts
On PCMag.com
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
