Travelex Infected With Sodinokibi Ransomware, Attacker Wants $3M

A cyber attack infected international foreign currency exchange Travelex with Sodinokibi ransomware. The attackers are demanding US$3 million.

The attack occurred on December 31 and affected some Travelex services. This prompted the company to take offline all its computer systems, a precaution meant “to protect data and prevent the spread of the virus.”

We were told that they deleted the backup files and that the ransom demanded was $3 million; if not paid in seven days (countdown likely started on December 31), the attackers said they will publish the data they stole.

Wyze Leaks Data of 2.4 Million Security Camera Customers

Wyze makes cheap security cameras for people, cheap in terms of price and now apparently security (ironically). A database of its user data was found exposed on the internet, unsecured.

This included a staggering array of personal information including email addresses, a list of cameras in the house, WiFi SSIDs and even health information including height, weight, gender, bone density and more.

“We are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th,” the company said. It denied that it had leaked bone density information, for example, but confirmed it had leaked “body metrics” for a small number of beta testers.

I’m still trying to figure out why a security camera company would have health information.

Spotify Encourages Journalists to Plug in Random USB Drives

As part of a promotion for a podcast, Spotify sent USB drives to journalists. But the move was criticized by computer security researchers.

But anyone with basic security training under their hat — which here at TechCrunch we do — will know to never plug in a USB drive without taking some precautions first.

Plugging in random USB drives is a bigger problem than you might think. Elie Bursztein, a Google security researcher, found in his own research that about half of all people will plug into their computer random USB drives.

I doubt anyone at Spotify was clueless about the security risk. But negative publicity is still publicity.

267 Million Facebook IDs, Phone Numbers Exposed

A database that contained over 267 million Facebook user IDs, phone numbers, and IDs was discovered on the web. It wasn’t password-protected.

Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. Diachenko believes the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence.

Diachenko immediately notified the internet service provider managing the IP address of the server so that access could be removed. However, Diachenko says the data was also posted to a hacker forum as a download.

FBI Shares 7 Tech Tips to Keep You Safe

The FBI’s Oregon office shared seven tech tips to keep people safe over the holidays, like not letting devices auto-connect to free Wi-Fi. It’s well worth the read.

The kids are getting out of school this week and you are packing your bags for the big trip to the in-laws. Now is not the time you want to talk about cyber security, but we do have a few travel tips to keep you safe while you are on the go.

VICE Tests Amazon Ring’s Security, and it’s Not Good

Journalists at VICE tested the security of Amazon Ring security cameras, and they call it “awful.”

Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged in—entirely common security measures across a wealth of online services.

Cellebrite Now Uses iOS Exploit Checkm8

Checkm8 is an iPhone flaw in the bootrom that can lead to a jailbreak. It can’t be patched via software, and it affects the iPhone 4s through iPhone X. But attackers need physical access to your device, and the jailbreak can only be tethered, meaning that if the iPhone is restarted it disappears.

The Cellebrite UFED team is working quickly to provide users with support for the above-mentioned scenario.  This will be included with the launch of our iOS extraction agent in an upcoming release. The team is committed to providing a comprehensive, forensically-sound solution that adheres to Cellebrite’s high standards, is fully tested, and is admissible in court.

Speaking about recent rumors, if Apple did remove the Lightning port from future iPhones, I wonder if it would defeat companies like Cellebrite. I’m not sure if they could still extract data via the wireless charger.

Defense Department: We Need That Encryption You Want to Break

Everyone from the Department of Justice, the FBI, and politicians like Senator Lindsey Graham are attacking encryption, calling for backdoors for the “public good.” But people who understand security are cautioning against such a move. This week Representative Ro Khanna forwarded a letter to Lindsay Graham from the Defense Department’s Chief Information Officer Dana Deasy.

As the use of mobile devices continues to expand, it is imperative that innovative security techniques, such as advanced encryption algorithms, are constantly maintained and improved to protect DoD information and resources. The Department believes maintaining a domestic climate for state of the art security and encryption is critical to the protection of our national security.

Senator Lindsey Graham to ‘Impose His Will’ on Encryption Backdoors

Apple and Facebook representatives met with lawmakers today where senators pushed for the companies to compromise their users’ security by including encryption backdoors. In particular, Sen. Lindsey Graham said:

My advice to you is to get on with it. Because this time next year, if we haven’t found a way that you can live with, we will impose our will on you.

“Encryption backdoors for thee, but not for me.”

Yubico Authenticator iOS App Now Supports NFC

While Yubico has a security key that plugs into your iPhone via Lightning, the app also supports NFC YubiKeys now.

Instead of storing the time-based one-time passcodes on a mobile phone or computer, Yubico Authenticator generates and stores one-time codes on the YubiKey. A user must present their physical key in order to receive the code for login. This not only eliminates security vulnerabilities associated with a multi-purpose computing device, but also offers an added layer of convenience for users that work between various machines.

US Among Top 5 Worst Countries for Biometrics Privacy

The United States is one of the worst countries in the world when it comes to the privacy of citizens’ biometrics data.

While there is a handful of state laws that protect state residents’ biometrics (as can be seen in our state privacy study), this does leave many US citizens’ biometrics exposed as there is no federal law in place.

This VPN App Sent User Data to China

According to a report of VPN apps for 2019, downloads of these apps has increased 54%. But people need to be careful which VPN app they use. The most popular app called VPN – Super Unlimited sent user data to China. But it’s privacy policy made no secret of this.

We regularly collect and use information that could identify an individual, in particular about your purchase or use of our products, services, mobile and software applications and websites… We use various technologies to determine [your] location, including IP addresses, GPS, and other sensors.

The VPN apps I wrote about are all safe (or at least I personally believe them to be safe).

‘Chain of Trust’ on Apple Devices Explained

In computer security, a ‘chain of trust’ is when each component of hardware and software validates each other to make sure they haven’t been compromised. Kirk McElhearn explains the chain of trust on Apple devices.

It all begins with your Apple ID. When you create a new Apple ID on Apple’s website, or on a device you own, you provide your name, birthday, and email address, set up a password, then answer three security questions. You verify your email address, and your Apple ID now allows you to use Apple’s services.