CISA Believes China Hacked US Government Systems

· Andrew Orr · Link

Generic image displaying the word hacked.

According to the Cybersecurity and Infrastructure Security Agency, Chinese-affiliated hackers have compromised U.S. government computer systems.

“This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools,” the advisory states. “CISA observed activity from a Federal Government IP address beaconing out to the threat actors’ [command and control] server.”

Get we just get it together for 10 seconds, please?

Gaming Company Razer Leaked 100,000 Users’ Data

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

In August, security researcher Volodymyr Diachenko found a server owned by Razer that exposed the data of over 100,000 users. It took the company over three weeks to get around to fixing the issue.

The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you’d expect to see from a credit card transaction, although not the credit card numbers themselves. The Elasticseach cluster was not only exposed to the public, it was indexed by public search engines.

Reboot Your iPhone Weekly as a Security Measure

· Andrew Orr · Link

iPhone 5s showing Slide to Power Off.

Adrian Kingsley-Hughes has a tip for iPhone owners: Reboot it at least once a week as a security measure.

Not only does this clean the systems RAM and get it ready to do more work, it also helps protect against remote exploits by making it harder for hackers to keep control of your iPhone — hacks don’t survive reboots.

A good, practical, and easy tip for Apple users.

Prison Phone Service ‘Telmate’ Leaks Data of Inmates

· Andrew Orr · Link

Data Leak

Telmate, owned by Global Tel Link, makes an app for prisoners to send messages and calls to friends and family. It exposed a database of private messages, call logs, and personal information numbers in the tens of millions. Why? The database wasn’t secured with a password.

Comparitech security researcher Bob Diachenko on August 13, 2020 discovered the unsecured database and immediately reported it to Global Tel Link, the company that owns and operates Telmate. The company, to its credit, responded within two hours and secured the database an hour later, but it’s possible that other unauthorized parties accessed it prior to Diachenko’s disclosure.

ProtonDrive’s End-to-End Encryption Security Revealed

· Andrew Orr · Link

ProtonDrive (from the makers of ProtonMail and ProtonVPN) is in the final stages of development before it gets a beta launch later in 2020. The team revealed its end-to-end encryption security in a blog post.

Files and folders are arranged in a tree structure. Therefore, there is a recurring pattern where a file or folder’s asymmetric key is locked with a passphrase, which in turn is encrypted with the asymmetric key of their parent folder. All passphrases are signed with the address key of the user, without which a malicious server could forge the contents of the tree.

This ‘Clear Clipboard’ Shortcut Empties Your Clipboard Automatically

· Andrew Orr · Cool Stuff Found

Redditor u/SpamSencer created a Clear Clipboard shortcut that does exactly what the name says: It automatically clears your clipboard. With iOS 14 Apple introduced a feature that shows when an app accesses the clipboard, like TikTok and Microsoft. You could even set it up as an automation so that whenever you open any app of your choosing, the shortcut will run (an iOS 14 feature). You’ll just have to painstakingly tap on every app you have installed if you choose to automate it.

‘Deep Social’ Data Leak Exposes 235 Million Profiles of Instagram, TikTok, YouTube

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

A database containing almost 235 million social media profiles of users from Instagram, TikTok, and YouTube has been exposed because it wasn’t password-protected.

Evidence suggests that much of the data originally came from a now-defunct company: Deep Social. The names of the Instagram datasets (accounts-deepsocial-90 and accounts-deepsocial-91) hint at the data’s origin. Based on this, [security researcher Bob] Diachenko first contacted Deep Social using the email address listed on its website to disclose the exposure. The administrators of Deep Social forwarded the disclosure to Social Data. The CTO of Social Data acknowledged the exposure, and the servers hosting the data were taken down about three hours later.

pCloud Update Lets Users Decide Where Files are Stored

· Andrew Orr · Link

pCloud is an encrypted cloud storage service, and a recent update gave users the ability to decide in which server their files are stored.

All pCloud users will be able to choose the server location where their files are stored. This will give users greater control over the security of their files. Once the choice of where to store the data is made during registration – in the US or Europe – it is practically impossible to transfer them without the user’s knowledge or permission. Currently, the option to select the server location is available only to newly registered users.

‘Have I Been Pwned’ Database Now Open Source

· Andrew Orr · Link

Enter your passcode

Troy Hunt is making his Have I Been Pwned database open source. He says it’s already a community project with companies like Cloudflare providing free services to HIBP.

The single most important objective of that process was to seek a more sustainable future for HIBP and that desire hasn’t changed; the project cannot be solely dependent on me. Yet that’s where we are today and if I disappear, HIBP quickly withers and dies.