Security

Link

Prison Phone Service ‘Telmate’ Leaks Data of Inmates

Andrew Orr ·

Telmate, owned by Global Tel Link, makes an app for prisoners to send messages and calls to friends and family. It exposed a database of private messages, call logs, and personal information numbers in the tens of millions. Why? The database wasn’t secured with a password.

Comparitech security researcher Bob Diachenko on August 13, 2020 discovered the unsecured database and immediately reported it to Global Tel Link, the company that owns and operates Telmate. The company, to its credit, responded within two hours and secured the database an hour later, but it’s possible that other unauthorized parties accessed it prior to Diachenko’s disclosure.

Link

ProtonDrive’s End-to-End Encryption Security Revealed

Andrew Orr ·

ProtonDrive (from the makers of ProtonMail and ProtonVPN) is in the final stages of development before it gets a beta launch later in 2020. The team revealed its end-to-end encryption security in a blog post.

Files and folders are arranged in a tree structure. Therefore, there is a recurring pattern where a file or folder’s asymmetric key is locked with a passphrase, which in turn is encrypted with the asymmetric key of their parent folder. All passphrases are signed with the address key of the user, without which a malicious server could forge the contents of the tree.

Cool Stuff Found

This ‘Clear Clipboard’ Shortcut Empties Your Clipboard Automatically

Andrew Orr ·

Redditor u/SpamSencer created a Clear Clipboard shortcut that does exactly what the name says: It automatically clears your clipboard. With iOS 14 Apple introduced a feature that shows when an app accesses the clipboard, like TikTok and Microsoft. You could even set it up as an automation so that whenever you open any app of your choosing, the shortcut will run (an iOS 14 feature). You’ll just have to painstakingly tap on every app you have installed if you choose to automate it.

Link

‘Deep Social’ Data Leak Exposes 235 Million Profiles of Instagram, TikTok, YouTube

Andrew Orr ·

A database containing almost 235 million social media profiles of users from Instagram, TikTok, and YouTube has been exposed because it wasn’t password-protected.

Evidence suggests that much of the data originally came from a now-defunct company: Deep Social. The names of the Instagram datasets (accounts-deepsocial-90 and accounts-deepsocial-91) hint at the data’s origin. Based on this, [security researcher Bob] Diachenko first contacted Deep Social using the email address listed on its website to disclose the exposure. The administrators of Deep Social forwarded the disclosure to Social Data. The CTO of Social Data acknowledged the exposure, and the servers hosting the data were taken down about three hours later.

Link

pCloud Update Lets Users Decide Where Files are Stored

Andrew Orr ·

pCloud is an encrypted cloud storage service, and a recent update gave users the ability to decide in which server their files are stored.

All pCloud users will be able to choose the server location where their files are stored. This will give users greater control over the security of their files. Once the choice of where to store the data is made during registration – in the US or Europe – it is practically impossible to transfer them without the user’s knowledge or permission. Currently, the option to select the server location is available only to newly registered users.

Link

‘Have I Been Pwned’ Database Now Open Source

Andrew Orr ·

Troy Hunt is making his Have I Been Pwned database open source. He says it’s already a community project with companies like Cloudflare providing free services to HIBP.

The single most important objective of that process was to seek a more sustainable future for HIBP and that desire hasn’t changed; the project cannot be solely dependent on me. Yet that’s where we are today and if I disappear, HIBP quickly withers and dies.

Link

20GB Intel Data Leak Spread on Twitter Includes Source Code

Andrew Orr ·

An anonymous leaker took to Twitter to leak 20GB of Intel data and says more is coming soon.

The poster encourages downloaders to look for mentions of ‘backdoors’ in some of the Intel source code, and even provides a sample clip of one such listing, but we aren’t sure of the intentions behind the listings in the code.

Hitting Command + F to look for mentions of backdoors, because such backdoors would conveniently  be labeled as such, right?

Link

LastPass Dark Web Monitoring, Security Dashboard Here

Andrew Orr ·

LogMeIn announced on Wednesday the arrival of LastPass dark web monitoring, as well as a security dashboard for the password manager.

The new LastPass dark web monitoring feature proactively checks email addresses against a 3rd party database of breached credentials. If that email address has been found in the database, the user will be immediately notified by email and with a message directly in their LastPass Security Dashboard. From there, users will be prompted to update the password for that compromised account.

Podcast

IT Security Manager, NIST, Bob Gendler - BGM Interview

John Martellaro · · 1 Comment

Bob Gendler is an IT Specialist in the Apple world and a Jamf guru. He holds a B.S. degree in Information Technology from the Rochester Institute of Technology. He is now part of the Mac Management team at NIST, the National Institute of Standards and Technology, in Washington, D.C.

From a very early age, Bob fell into the world of Apple starting with an Apple IIgs and, as a teenager, a Power Mac 6100. Quickly, as an undergraduate, his specialty became system administration, and, later, that served him well landing the job at NIST. Bob filled me in on his latest project, the “macOS Security Compliance Project,” and the security problem the community faced with macOS. Basically, the new GitHub project leverages a library of scriptable actions which are mapped to compliance requirements in existing security guides or used to develop customized guidance. Bob nicely explains this crucial tool, his team, and who would benefit.

Link

Sorry, Catnip Won’t Protect You Against the Meow Attack

Andrew Orr ·

Over 1,000 insecure databases have been completely erased, and the attackers leave no trace except the word “meow.”

Since then, Meow and a similar attack have destroyed more than 1,000 other databases. At the time this post went live, the Shodan computer search site showed that 987 ElasticSearch and 70 MongoDB instances had been nuked by Meow. A separate, less-malicious attack tagged an additional 616 ElasticSearch, MongoDB, and Cassandra files with the string “university_cybersec_experiment.” The attackers in this case seem to be demonstrating to the database maintainers that the files are vulnerable to being viewed or deleted.

Better erased than breached, right?

Link

DNA Company ‘GEDmatch’ Hacked in Data Breach

Andrew Orr ·

First, over a million DNA profiles from GEDmatch were leaked. Then, email addresses from the breach were used in a phishing attack against users of genealogy website MyHeritage.

As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.

If GEDmatch sounds familiar, it was the DNA database used to identify the Golden State Killer.