Security Archives

Clubhouse API Open to Scraping Public User Data

Andrew Orr · April 12, 2021

On Saturday, a SQL database containing data of 1.3 million Clubhouse users was posted on a hacker forum. The data included names, user IDs, social media profile names, and other details.

While the data associated with the Clubhouse user base was not acquired as a result of a breach, allowing ‘anyone with an API’ to download public Clubhouse profile information on a mass scale can backfire. For example, data scraping is often used by spammers and phishers to find new victims: they aggregate public contact details and use them for spam lists, robocalls, or social engineering attacks.

It’s not sensitive data but it can be combined with other data hoards that may have sensitive data. Every little scrap of data, while innocent on their own, can be potentially used against you, whether from advertisers or hackers.

Product News

Apple Publishes 2020 Transparency Report for Government Requests

Andrew Orr · April 9, 2021

Apple has published its transparency report from 2020. It gives information about what kinds of requests it receives from third parties.

News

Safari Exploit Revealed at Pwn2Own 2021

Andrew Orr · April 9, 2021

Jack Dates found an exploit in Safari which won him US$100,000 along with 10 Master of Pwn points at Pwn2Own 2021.

News

This Hacker Fights Back Against Phone Scammers

Andrew Orr · April 9, 2021

AARP recently published a fascinating investigative report of how one man, alias Jim Browning, fights back against phone scammers.

Podcast

How to Clean Up Facebook (Data) Leakage – TMO Daily Observations 2021-04-06

Kelly Guimont · April 6, 2021 · Add Comment

Today Andrew Orr joins host Kelly Guimont to discuss why there’s new headlines about an old data leak, and what you can do to protect yourself.

VIew all episodes

Link

LinkedIn Data Leak of 500 Million People Sold Online

Andrew Orr · April 6, 2021

Just days after a Facebook data leak was discovered, security researchers found another one, this time involving LinkedIn. It affects a similar amount of users, 500 million, with data being sold on a “popular hacker forum.”

The leaked files appear to only contain LinkedIn profile information – we did not find any deeply sensitive data like credit card details or legal documents in the sample posted by the threat actor. With that said, even an email address can be enough for a competent cybercriminal to cause real damage.

Link

Facebook Leaks Data of 553 Million People Like Phone Numbers

Andrew Orr · April 5, 2021

The personal data of 553 million Facebook users was posted in a hacking forum over the weekend. Data includes phone numbers, full names, locations, email addresses, and other information.

While it’s a couple of years old, the leaked data could prove valuable to cybercriminals who use people’s personal information to impersonate them or scam them into handing over login credentials, according to Alon Gal, the chief technology officer of the cybercrime intelligence firm Hudson Rock, who discovered the trough of leaked data on Saturday.

Facebook PR has been downplaying the leak, saying it’s “only” two years old. But for most people, their phone number, email addresses, and full names probably haven’t changed in that time.

Link

NSA Wants to Spy on Americans Because Reasons

Andrew Orr · April 2, 2021

U.S. government servers have been getting hacked left and right. In response, the NSA wants us to think that approval of domestic spying will solve the problem, despite suffering an egregious hack in 2016 where its zero-day exploits were stolen.

“We truly need to look at the ability for us to see ourselves and right now it’s difficult for us to see ourselves,” Nakasone testified on Thursday to the Senate Armed Services Committee. Adversaries like China and Russia “are operating with increased sophistication, scope [and] scale, including operations that can end “before a warrant can be issued,” he warned.

Podcast

Security Friday: Privacy vs Security, App Tracking Updates – TMO Daily Observations 2021-04-02

Kelly Guimont · April 2, 2021 · Add Comment

Andrew Orr joins host Kelly Guimont to discuss new App Tracking Transparency news, other updates, and the difference between security and privacy.

VIew all episodes

Deep Dive

iCloud Security and Using Apple Notes as a Secret Messenger

Andrew Orr · March 29, 2021

Shared Apple Notes can be used to send secret messages to people. But how secure are they? Andrew finds out.

Quick Tip

Here’s How Authenticator Apps Can Help Secure Your Accounts

Andrew Orr · March 26, 2021

Two-factor authentication is an important security measure that you can add to online accounts that support this feature.

Podcast

Security Friday: News and Hardware Keys – TMO Daily Observations 2021-03-19

Kelly Guimont · March 19, 2021 · Add Comment

Andrew Orr joins host Kelly Guimont to discuss the abundance of news and updates this week, and explain what a hardware key is for your accounts.

VIew all episodes

News

New ‘XcodeSpy’ Malware Targets Apple Developers

Andrew Orr · March 18, 2021

A new form of malware has been discovered that explicitly targets Apple developers. It’s called “XcodeSpy.”

Link

Facebook Introduces Security Keys for Two-Factor Authentication

Andrew Orr · March 18, 2021

Facebook announced on Thursday that it now supports two-factor authentication authentication for security keys on its mobile apps.

Physical security keys — which can be small enough to fit on your keychain — notify you each time someone tries accessing your Facebook account from a browser or mobile device we don’t recognize. We ask you to confirm it’s you with your key, which attackers don’t have.

News

Twitter Announces Multiple Security Key Support for Accounts

Andrew Orr · March 17, 2021

Twitter announced an update to its two-factor authentication security feature. Users can now enroll and log in with multiple security keys.

Link

The Ulysses Group Wants to Sell Location Data to US Military

Andrew Orr · March 17, 2021

A contractor with the U.S. military called The Ulysses Group wants to start selling vehicle location data to the military.

Ulysses can provide our clients with the ability to remotely geolocate vehicles in nearly every country except for North Korea and Cuba on a near real time basis. Currently, we can access over 15 billion vehicle locations around the world every month.

News

iOS Could Soon Separate Security Updates and Software Updates

Andrew Orr · March 17, 2021

Apple recently released the fourth beta of iOS 14.5 to developers, and code suggests that updates to the platform could change in the future.

News

Avira Security Updates Mac App With New Code

Andrew Orr · March 16, 2021

Avira Security released the latest version of its software suite on Tuesday. It’s been rewritten with Apple’s Swift, SwiftUI, and Combine frameworks.

Link

Dropbox Passwords Rolls Out to All Users in April

Andrew Orr · March 16, 2021

Dropbox Passwords launched in 2020 for paid users to manage their passwords. Now the company has announced it will be available to free users in April. You can sign up here to be notified of its release.

Dropbox Basic users will be able to store up to 50 passwords in Dropbox Passwords and have them automatically sync with up to three devices. It will also be possible to share passwords securely with anyone eventually, but this is a feature Dropbox is still working on and isn’t available yet.

I think it’s interesting that Dropbox came out with a password manager, but you can find far better ones for free with less limitations, like Bitwarden.

News

Bitwarden Announces Data Sharing Feature ‘Bitwarden Send’

Andrew Orr · March 15, 2021

Password manager Bitwarden announced on Monday the introduction of a new feature called Bitwarden Send.

Link

Molson Coors Production Grinds to Halt From Cyberattack

Andrew Orr · March 12, 2021

Molson Coors has revealed in its regulatory filing it suffered a cyberattack, and production has come to a halt.

Molson Coors experienced a systems outage that was caused by a cybersecurity incident. We have engaged a leading forensic IT firm to assist our investigation into the incident and are working around the clock to get our systems back up as quickly as possible.

Not even our beer is safe. One likely candidate is some kind of ransomware.

Link

Dashlane Reveals New Password Changer and Autofill Engine

Andrew Orr · March 12, 2021

Dashlane announced on Thursday a redesign of its Password Changer, as well as a new autofill engine powered by machine learning.

Password Changer seamlessly logs users into compatible websites, generates strong, unique passwords, then changes the passwords for those sites on the user’s behalf in one-click.

Interested persons can sign up to test the beta versions of Dashlane with these new features using this website.

Link

Verkada Security Breach Exposes 150,000 Surveillance Cameras

Andrew Orr · March 10, 2021

Hackers have breached the systems of Verkada, a startup that sells security cameras. The group says it was done to expose how widespread video surveillance is.

A person with knowledge of the matter said Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident. The company is working to notify customers and set up a support line to address questions, said the person, who requested anonymity to discuss an ongoing investigation.

Link

iPhone ‘Call Recorder’ App Leaked User Conversations

Andrew Orr · March 9, 2021

An iPhone app called Call Recorder lets users record their phone call conversations. But a recently discovered bug leaked those calls.

But using a readily available proxy tool like Burp Suite, Prakash could view and modify the network traffic going in and out of the app. That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recordings on his phone.

A new version of the app was submitted to Apple’s app store on Saturday. The release notes said the app update was to “patch a security report.”