Latest T-Mobile Data Breach Exposes Customer Data

· Andrew Orr · Link

T mobile logo

The latest T-Mobile data breach (this is the third time and the second breach in 2020) has affected an estimated 200,000 people.

The data accessed did NOT include any names associated with the account, financial data, credit card information, social security numbers, passwords, PINs or physical or email addresses. The information that was accessed may have included phone numbers, number of lines subscribed to and in a small number of cases some call-related information collected as part of normal operation and service.

‘GetSchooled’ Charity Data Breach Exposes Data of 900,000 Kids

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

GetSchooled, a charity run by the Bill & Melinda Gates Foundation, has leaked the details of over 900,000 children in a data breach.

The breached information contains extensive personal details of children, teenagers and young adults including: full addresses, schools, full student PII including student phone numbers and emails, graduation details, ages, genders and more…

Full everything. What could be “and more”, medical records? GetSchooled got schooled.

Fashion App ‘21 Buttons’ Exposes Data of European Influencers

· Andrew Orr · Link

woman iPhone security key laptop

An e-commerce app called 21 Buttons has exposed the private data of hundreds of people across Europe.

Among the millions of photos and videos, we also viewed hundreds of invoices detailing payments to users in the 21 Buttons Rewards program, covering the last few months. Some of these invoices appear to be test data, but many of them were definitely legitimate invoices detailing real records of payments made.

Cellebrite Has Not Broken Signal’s Encryption

· Andrew Orr · Link

Signal app icon

On Tuesday, security company Cellebrite claimed to have broken the encryption that Signal uses to keep user communication safe. The blog post has since been removed, but the BBC has an archived version here. But Signal says that claim isn’t true.

It is important to understand that any story about Cellebrite Physical Analyzer starts with someone other than you physically holding your device, with the screen unlocked, in their hands. Cellebrite does not even try to intercept messages, voice/video, or live communication, much less “break the encryption” of that communication. They don’t do live surveillance of any kind.

SolarWinds Hack Affected Tech Companies Like Intel, Cisco, VMware

· Andrew Orr · Link

The SolarWinds cyber attack didn’t just affect government agencies; big tech companies were affected too. Intel, Nvidia, Cisco, Belkin, and VMware were also infected. The Wall Street Journal reports. If the link below is paywalled, try this article from The Verge.

Intel downloaded and ran the malicious software, the Journal’s analysis found. The company is investigating the incident and has found no evidence the hackers used the backdoor to access the company’s network, a spokesman said.

Apple, Google, Microsoft, Mozilla Take on Kazakhstan Government

· Andrew Orr · Link

Safari icon in mac dock

Apple, Google, Microsoft, and Mozilla are teaming up to ban a root certificate used by the Kazakhstan government to decrypt HTTPS traffic for residents in the country’s capital, the city of Nur-Sultan.

Kazakh officials justified their actions claiming they were carrying out a cybersecurity training exercise for government agencies, telecoms, and private companies.

The government’s explanation did, however, make zero technical sense, as certificates can’t prevent mass cyber-attacks and are usually used only for encrypting and safeguarding traffic from third-party observers.

Private Messenger ‘Signal’ Adds Encrypted Group Video Calls

· Andrew Orr · Link

Signal group video call

Good news for users of Signal. The app now supports group video calls, and they are end-to-end encrypted like the rest of the app’s communications.

Now when you open a group chat in Signal, you’ll see a video call button at the top. When you start a call, the group will receive a notification letting them know a call has started.

When you start or join a group call, Signal will display the participants in a grid view. You can also swipe up to switch to a view that automatically focuses the screen on who is speaking, and it will update in real time as the active speaker changes.

Jetstream Routers Get Firmware Update to Fix Backdoor

· Andrew Orr · Link

Walmart Jetstream router

In November, security researchers found a Walmart-branded router called Jetstream contained a way for a third party to remotely control the router and devices connected to it. Walmart responded and said it stopped selling these routers. The manufacturer, Wavlink, also responded. A firmware update includes the following:

Removed unnecessary diagnostic pages; Deleted tcpdump tool; Added codes to block CSRF attack; Improved Web authentication routine.

The researchers haven’t yet tested the update to see if it has been effective.

Russian ‘Cozy Bear’ Hacking Team Hits US Government Networks

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

A group of Russian hackers known as Cozy Bear has hacked several U.S. government agencies like the Treasury and Commerce departments.

On Sunday night, FireEye said the attackers were infecting targets using Orion, a widely used business software app from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.

Spotify Resets User Passwords Over Data Leak

· Andrew Orr · Link

Spotify logo

Spotify has reset an unknown number of user passwords after a bug in its system exposed private data to business partners.

In a data breach notification filed with the California attorney general’s office, the music streaming giant said the data exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.” The company did not name the business partners, but added that Spotify “did not make this information publicly accessible.”

Fortunately, those like me who created a Spotify account using Sign In with Apple shouldn’t have too much information leaked.

Scam Calls About Suspicious iCloud Activity are Appearing

· Andrew Orr · Link

Home Button iPhone bokeh

Calls from scammers pretending to be from Apple and Amazon have been appearing lately. In the case of Apple, some of them mention suspicious iCloud activity.

In both scenarios, the scammers say you can conveniently press 1 to speak with someone (how nice of them!). Or they give you a phone number to call. Don’t do either. It’s a scam. They’re trying to steal your personal information, like your account password or your credit card number.

5 Encrypted DNS Services to Use on iOS and macOS

· Andrew Orr · Deep Dive

Switching from your ISP’s DNS is good because your browsing history could be sold. Here are five encrypted DNS services to use instead.