The latest T-Mobile data breach (this is the third time and the second breach in 2020) has affected an estimated 200,000 people.
The data accessed did NOT include any names associated with the account, financial data, credit card information, social security numbers, passwords, PINs or physical or email addresses. The information that was accessed may have included phone numbers, number of lines subscribed to and in a small number of cases some call-related information collected as part of normal operation and service.
In the wake of the SolarWinds cyber attack on the U.S. government, CISA urges agencies to update their software by the end of the year.
Apple has lost a copyright battle against security company Corellium, a company that virtualizes iOS for security research.
GetSchooled, a charity run by the Bill & Melinda Gates Foundation, has leaked the details of over 900,000 children in a data breach.
The breached information contains extensive personal details of children, teenagers and young adults including: full addresses, schools, full student PII including student phone numbers and emails, graduation details, ages, genders and more…
Full everything. What could be “and more”, medical records? GetSchooled got schooled.
An e-commerce app called 21 Buttons has exposed the private data of hundreds of people across Europe.
Among the millions of photos and videos, we also viewed hundreds of invoices detailing payments to users in the 21 Buttons Rewards program, covering the last few months. Some of these invoices appear to be test data, but many of them were definitely legitimate invoices detailing real records of payments made.
On Tuesday, security company Cellebrite claimed to have broken the encryption that Signal uses to keep user communication safe. The blog post has since been removed, but the BBC has an archived version here. But Signal says that claim isn’t true.
It is important to understand that any story about Cellebrite Physical Analyzer starts with someone other than you physically holding your device, with the screen unlocked, in their hands. Cellebrite does not even try to intercept messages, voice/video, or live communication, much less “break the encryption” of that communication. They don’t do live surveillance of any kind.
The SolarWinds cyber attack didn’t just affect government agencies; big tech companies were affected too. Intel, Nvidia, Cisco, Belkin, and VMware were also infected. The Wall Street Journal reports. If the link below is paywalled, try this article from The Verge.
Intel downloaded and ran the malicious software, the Journal’s analysis found. The company is investigating the incident and has found no evidence the hackers used the backdoor to access the company’s network, a spokesman said.
Apple, Google, Microsoft, and Mozilla are teaming up to ban a root certificate used by the Kazakhstan government to decrypt HTTPS traffic for residents in the country’s capital, the city of Nur-Sultan.
Kazakh officials justified their actions claiming they were carrying out a cybersecurity training exercise for government agencies, telecoms, and private companies.
The government’s explanation did, however, make zero technical sense, as certificates can’t prevent mass cyber-attacks and are usually used only for encrypting and safeguarding traffic from third-party observers.
Apple has a new 20-page guide available called Device and Data Access when Personal Safety is at Risk.
Good news for users of Signal. The app now supports group video calls, and they are end-to-end encrypted like the rest of the app’s communications.
Now when you open a group chat in Signal, you’ll see a video call button at the top. When you start a call, the group will receive a notification letting them know a call has started.
When you start or join a group call, Signal will display the participants in a grid view. You can also swipe up to switch to a view that automatically focuses the screen on who is speaking, and it will update in real time as the active speaker changes.
In November, security researchers found a Walmart-branded router called Jetstream contained a way for a third party to remotely control the router and devices connected to it. Walmart responded and said it stopped selling these routers. The manufacturer, Wavlink, also responded. A firmware update includes the following:
Removed unnecessary diagnostic pages; Deleted tcpdump tool; Added codes to block CSRF attack; Improved Web authentication routine.
The researchers haven’t yet tested the update to see if it has been effective.
A group of Russian hackers known as Cozy Bear has hacked several U.S. government agencies like the Treasury and Commerce departments.
On Sunday night, FireEye said the attackers were infecting targets using Orion, a widely used business software app from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.
Andrew Orr joins host Kelly Guimont to discuss Security Friday news and updates, and offer some tips on how to avoid credit card shenanigans.
Spotify has reset an unknown number of user passwords after a bug in its system exposed private data to business partners.
In a data breach notification filed with the California attorney general’s office, the music streaming giant said the data exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.” The company did not name the business partners, but added that Spotify “did not make this information publicly accessible.”
Fortunately, those like me who created a Spotify account using Sign In with Apple shouldn’t have too much information leaked.
MalwareBytes reports that hackers are using a new trick to skim credit card data form websites using a skimmer hidden inside image metadata.
We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot.
A devious, clever hack.
Apple could block apps from the App Store if they fail to meet comply with its new privacy requirements, Craig Federighi has warned.
Apple and Cloudflare have teamed up to create a new DNS protocol called Oblivious DNS-over-HTTPS, or ODoH.
Calls from scammers pretending to be from Apple and Amazon have been appearing lately. In the case of Apple, some of them mention suspicious iCloud activity.
In both scenarios, the scammers say you can conveniently press 1 to speak with someone (how nice of them!). Or they give you a phone number to call. Don’t do either. It’s a scam. They’re trying to steal your personal information, like your account password or your credit card number.
To accompany his roundup of encrypted DNS services, Andrew has a roundup of the best encrypted cloud storage services.
Switching from your ISP’s DNS is good because your browsing history could be sold. Here are five encrypted DNS services to use instead.