GetHealth, a health and wellness company in New York City, leaked data from a non-password protected database with over 61 million records.
Security
Security Friday and Epic Updates – TMO Daily Observations 2021-09-10
Andrew Orr joins host Kelly Guimont to discuss Security Friday news and the latest in the Apple v Epic lawsuit.
Security Researchers are Fed Up With Apple's Bug Bounty Program
For five years Apple has invited ethical hackers to break into its products to look for flaws. But these security experts are tired of the program.
The best programs support open conversations between the hackers and the company. Apple, already known for being tight-lipped, limits communication and feedback on why it chooses to pay or not pay for a bug, according to security researchers who have submitted bugs to the bounty program and a former employee who spoke on the condition of anonymity because of a nondisclosure agreement.
Microsoft President Brad Smith Says Government Agencies Need to Share Data
Microsoft President Brad Smith says intelligence agencies need to share information to better protect the nation against cyberattacks.
Repeatedly in late 2020 we found people in federal agencies asking us about information in other parts of the government, because it was easier to get it from us than directly from other federal employees. A culture of holding information tightly is so ingrained in the government that even its contracts with us forbid us from letting one part of the government know that another part has been attacked.
Germany Secretly Purchased NSO Group Spyware 'Pegasus'
A report reveals that Germany’s Federal Criminal Police Office (BKA) had purchased the Pegasus spyware to monitor suspects.
Here are the First States to Support iOS 15 Digital IDs
On Wednesday Apple revealed which U.S. states are the first to support storage of IDs within Apple Wallet in iOS 15 and watchOS 8.
AdGuard: 'People Should be Worried About Apple CSAM Detection'
Adblocking company AdGuard is the latest to offer commentary on Apple’s controversial decision to detect CSAM in iCloud Photos. The team ponders ways to block it using their AdGuard DNS technology.
We consider preventing uploading the safety voucher to iCloud and blocking CSAM detection within AdGuard DNS. How can it be done? It depends on the way CSAM detection is implemented, and before we understand it in details, we can promise nothing particular.
Who knows what this base can turn into if Apple starts cooperating with some third parties? The base goes in, the voucher goes out. Each of the processes can be obstructed, but right now we are not ready to claim which solution is better and whether it can be easily incorporated into AdGuard DNS. Research and testing are required.
Security Friday: News, Leaks vs Breaches, Metadata – TMO Daily Observations 2021-08-27
Andrew Orr joins host Kelly Guimont to discuss data leads vs data breaches, security news, and what metadata actually entails.
Chinese Hackers May be Stealing Data to Feed an Artificial Intelligence
Dina Temple-Raston of NPR published a fascinating investigation regarding the Microsoft Exchange attack earlier in 2021.
Officials believe that the breach was in the service of something bigger: China’s artificial intelligence ambitions. The Beijing leadership aims to lead the world in a technology that allows computers to perform tasks that traditionally required human intelligence — such as finding patterns and recognizing speech or faces.
US Air Force Contract Aims to Improve Blockchain Security
The United States Air Force will use Constellation’s Hypergraph Network to provide data security with the Department of Defense’s commercial partners.
Constellation said it had been working with Kinnami Software Corporation to develop an end-to-end data security solution using blockchain encryption and distributed data management for the United States Transportation Command, Air Mobility Command’s 618th Air Operations Center, and a Civil Reserve Air Fleet partner. According to the platform, its goal is to securely exchange data with commercial partners on missions involving the operations of aircraft and ships under contract to the Department of Defense, or DoD.
Data Leak From Chinese Company 'EskyFun' Affects 1 Million Gamers
The research team at vpnMentor discovered an unsecured server from Chinese mobile gaming company EskyFun. It exposed data for over a million Android gamers.
The resulting records contained a lot of sensitive information, including: IP address, IMEI number, Mobile application package doing the tracking, Device screen size – whether a device is ‘rooted’*, Device model, Phone number (if any), Platform (Android/iOS), NetType (WiFi or cellular), Events (open,login,level_up, etc).
Not so fun anymore.
Your Internet Activity May be Traceable Even Through a VPN
Netflow data refers to IP network traffic that can be collected as it enters or exits an interface. Using this aggregate data, it’s possible to trace network traffic even if a person uses a VPN. Internet service providers sell this information to third parties.
At a high level, netflow data creates a picture of traffic flow and volume across a network. It can show which server communicated with another, information that may ordinarily only be available to the server owner or the ISP carrying the traffic. Crucially, this data can be used for, among other things, tracking traffic through virtual private networks, which are used to mask where someone is connecting to a server from, and by extension, their approximate physical location.
Social Engineering Majority of Business Attacks in 2020
Speaking of social engineering, new data from Atlas VPN shows this kind of attack was responsible for the majority of business breaches in 2020.
According to the data presented by the Atlas VPN team, social engineering cyberattacks were the primary cause of company breaches in 2020 at 14%, followed by advanced persistent threats, unpatched systems and ransomware. As a result, learning to prevent social engineering attacks needs to be a top priority for businesses.
Scammer Stole Over 620,000 iCloud Photos Looking for Nudes
Hao Kuo Chi, 40, of La Puente, has agreed to plead guilty to four felonies, including conspiracy to gain unauthorized access to a computer.
Tim Cook, Satya Nadella, Andy Jassy to Visit White House for Cybersecurity
The CEOs of Apple, Microsoft, and Amazon will attend a meeting at the White House to discuss cybersecurity.
Misconfigured Microsoft Power Apps Leaked 38 Million Database Records
Over a thousand web apps from Microsoft’s Power Apps platform have leaked 38 million records. This data includes COVID-19 contact tracing.
The data included a range of sensitive information, from people’s phone numbers and home addresses to social security numbers and COVID-19 vaccination status.
The incident affected major companies and organizations, including American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools.
Apps and Stores and Sideloading – TMO Daily Observations 2021-08-23
Bryan Chaffin and Dave Hamilton join host Kelly Guimont to discuss new legislation around App Stores and “sideloading” of apps on iOS.
The Secret Security Features in macOS Big Sur
There are security features that Apple tells us about on stage at keynotes, and then there are hidden improvements it doesn’t mention.
macOS has gradually made the UNIX security model irrelevant. For example, even the superuser is only allowed to access the private documents of a regular user with the user’s permission—permission that is given on a per-application basis, through that protector of users and bane of developers known as the Transparency, Consent & Control (TCC) framework.
Security Friday: This Week In Data Breaches – TMO Daily Observations 2021-08-20
Andrew Orr and Kelly Guimont chat about the latest Security Friday news, including data breaches and ways to protect your data.
Cloudflare Saw Massive DDoS Attack at 17.2 Million RPS
On Friday network provider Cloudflare shared how it mitigated a record-breaking 17.2 million request-per-second (rps) DDoS attack.
Coinbase Announces Phone Support for Account Takeovers
On Thursday, crypto exchange Coinbase announced phone support in the event of an account takeover.
Today, we’re beginning to roll out phone support for ATOs, to provide customers with a live agent to kick off an investigation. If you believe you’re a victim of an ATO, please call +1 888 908–7930 or visit our support page to protect your account and get help.
Since 2015 Cyber Attacks Have Cost Companies Over $25 Billion
A report on Wednesday shows that the damage from cyber attacks has reached over US$$25 billion since 2015.
The most costly attacks are credential attacks (the theft of an organization or individual’s passwords), which have accounted for $6.4 billion in company losses. Often, these credentials are stolen and then sold on the dark web, which happened in the recent T-Mobile breach. Backdoors, like what was used in the SolarWinds hack, have cost companies $5.6 billion.
Apple’s NeuralHash Algorithm for CSAM Detection Has Been Extracted
Apple’s NeuralHash algorithm it will use to detect child sexual abuse material (CSAM) has been extracted from a device and rebuilt using Python.
Corellium Will Award Researchers to Examine Apple CSAM Scanning Claims
On Tuesday Corellium announced the launch of the Corellium Open Security Initiative. It will support independent public research of mobile security.
