While Microsoft is now in talks to purchase Internet phenomenon TikTok, new information reveals that the Chinese-owned service sometimes turned to questionable tactics without users knowing about them. More specifically, a report from the WSJ reveals that TikTok collected users’ MAC addresses from Android devices show more ...
despite a series of protections put in place by Google. And what’s more, the search giant has specifically banned the practice, only that the TikTok app even featured an extra system whose purpose was to hide this information tracking. The MAC address, which is unique for every device, was included in the batch of data that TikTok collected from Android devices and which users typically gave their consent for. This data includes advertising-related information, such as the advertising ID. According to the report, the MAC address collection was sh... (read more)
For the 155th episode of the Kaspersky Transatlantic Cable Podcast, Jeff and I talk about the recent Canon ransomware attack and much more. The first story we look at is about some US lawyers asking the California DMV why (and how) they’re making $50 million a year selling driver’s license data. From show more ...
there, we turn to recent news that the US government is offering a bounty of $10 million for information about election hacking. Moving over to the gaming world, the next story takes a look at a “vigilante” who’s hacking the hackers, so to speak. GamerDoc has garnered some fame exposing cheats and cheaters in the first-person-shooter gaming world, and it seems cheat developers are none too pleased. Then we look at a story that should never have been: The alleged Twitter hacker was summoned to a virtual court, but matters soon took a turn when Zoom-bombers invaded, shouting and broadcasting pornography. The session was quickly adjourned. Finally, we discuss yet another big company apparently being hit by ransomware. If you like what you heard, please consider sharing with your friends or subscribing. For more information on the topics discussed, please click on the links below. Lawmakers ask California DMV how it makes $50 million a year selling drivers’ data U.S. offers reward of $10M for info leading to discovery of election meddling The vigilante hunting down cheaters in video games Twitter hack Zoom court hearing interrupted by porn video Canon confirms ransomware attack in internal memo
Our technologies prevented an attack on a South Korean company recently. That’s just your average Wednesday, you might say — but while analyzing the cybercriminals’ tools, our experts discovered two whole zero-day vulnerabilities. They found the first in Internet Explorer 11’s JavaScript engine. show more ...
That one enabled the attackers to remotely execute arbitrary code. The second, detected in an operating system service, let the attackers escalate privileges and perform unauthorized actions. The exploits for these vulnerabilities operated in tandem. First, the victim was slipped a malicious script that a hole in Internet Explorer 11 allowed to run; and then a flaw in the system service further escalated the malicious process’s privileges. As a result, the attackers were able to take control of the system. Their goal was to compromise the computers of several employees and penetrate the organization’s internal network. Our experts have dubbed this malicious campaign Operation PowerFall. At present, researchers have found no inarguable link between this campaign and known actors. However, judging by the similarity of the exploits, they haven’t ruled out involvement by DarkHotel. When our researchers informed Microsoft of their findings, the company said it already knew about the second vulnerability (in the system service) and had even made a patch for it. But until we informed them about the first vulnerability (in IE11), they considered its exploitation unlikely. How is CVE-2020-1380 dangerous? The first vulnerability is in the library jscript9.dll, which all versions of Internet Explorer since IE9 use by default. In other words, the exploit for this vulnerability is dangerous for modern versions of the browser. (“Modern” is perhaps a slight misnomer given that Microsoft stopped developing Internet Explorer after the release of Edge, with Windows 10). But along with Edge, Internet Explorer is still installed by default in the latest Windows, and it remains an important component of the operating system. Even if you don’t willingly use IE, and it is not your default browser, that doesn’t mean your system cannot be infected through an IE exploit — some applications do use it from time to time. Take Microsoft Office, for example: It uses IE to display video content in documents. Cybercriminals can also call and exploit Internet Explorer through other vulnerabilities. CVE-2020-1380 belongs to the Use-After-Free class — the vulnerability exploits the incorrect use of dynamic memory. You can read a detailed technical description of the exploit with indicators of compromise in the post “Internet Explorer 11 and Windows 0-day exploits full chain used in Operation PowerFall” on the Securelist website. How to protect yourself Microsoft released a patch for CVE-2020-0986 (in the Windows kernel) on June 9, 2020. The second vulnerability, CVE-2020-1380, was patched on August 11. If you update your operating systems regularly, they should already be protected against Operation PowerFall–type attacks. However, zero-day vulnerabilities pop up all the time. To keep your company safe, you need to use a solution with anti-exploit technologies, such as Kaspersky Security for Business. One of its components, the Exploit Prevention subsystem, identifies attempts to exploit zero-day vulnerabilities. In addition, we recommend using modern browsers that receive regular security updates.
Several stories here have highlighted the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. This post examines some of the key places where everyone should plant their virtual flags. As KrebsOnSecurity observed back in show more ...
2018, many people — particularly older folks — proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. From that story: “The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.” “The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.” In short, although you may not be required to create online accounts to manage your affairs at your ISP, the U.S. Postal Service, the credit bureaus or the Social Security Administration, it’s a good idea to do so for several reasons. Most importantly, the majority of the entities I’ll discuss here allow just one registrant per person/customer. Thus, even if you have no intention of using that account, establishing one will be far easier than trying to dislodge an impostor who gets there first using your identity data and an email address they control. Also, the cost of planting your flag is virtually nil apart from your investment of time. In contrast, failing to plant one’s flag can allow ne’er-do-wells to create a great deal of mischief for you, whether it be misdirecting your service or benefits elsewhere, or canceling them altogether. Before we dive into the list, a couple of important caveats. Adding multi-factor authentication (MFA) at these various providers (where available) and/or establishing a customer-specific personal identification number (PIN) also can help secure online access. For those who can’t be convinced to use a password manager, even writing down all of the account details and passwords on a slip of paper can be helpful, provided the document is secured in a safe place. Perhaps the most important place to enable MFA is with your email accounts. Armed with access to your inbox, thieves can then reset the password for any other service or account that is tied to that email address. People who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Secondly, guard the security of your mobile phone account as best you can (doing so might just save your life). The passwords for countless online services can be reset merely by entering a one-time code sent via text message to the phone number on file for the customer’s account. And thanks to the increasing prevalence of a crime known as SIM swapping, thieves may be able to upend your personal and financial life simply by tricking someone at your mobile service provider into diverting your calls and texts to a device they control. Most mobile providers offer customers the option of placing a PIN or secret passphrase on their accounts to lessen the likelihood of such attacks succeeding, but these protections also usually fail when the attackers are social engineering some $12-an-hour employee at a mobile phone store. Your best option is to reduce your overall reliance on your phone number for added authentication at any online service. Many sites now offer MFA options that are app-based and not tied to your mobile service, and this is your best option for MFA wherever possible. YOUR CREDIT FILES First and foremost, all U.S. residents should ensure they have accounts set up online at the three major credit bureaus — Equifax, Experian and Trans Union. It’s important to remember that the questions these bureaus will ask to verify your identity are not terribly difficult for thieves to answer or guess just by referencing public records and/or perhaps your postings on social media. You will need accounts at these bureaus if you wish to freeze your credit file. KrebsOnSecurity has for many years urged all readers to do just that, because freezing your file is the best way to prevent identity thieves from opening new lines of credit in your name. Parents and guardians also can now freeze the files of their dependents for free. For more on what a freeze entails and how to place or thaw one, please see this post. Beyond the big three bureaus, Innovis is a distant fourth bureau that some entities use to check consumer creditworthiness. Fortunately, filing a freeze with Innovis likewise is free and relatively painless. It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers who are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link. If you placed a freeze on your file at the major bureaus more than a few years ago but haven’t revisited the bureaus’ sites lately, it might be wise to do that soon. Following its epic 2017 data breach, Equifax reconfigured its systems to invalidate the freeze PINs it previously relied upon to unfreeze a file, effectively allowing anyone to bypass that PIN if they can glean a few personal details about you. Experian’s site also has undermined the security of the freeze PIN. I mentioned planting your flag at the credit bureaus first because if you plan to freeze your credit files, it may be wise to do so after you have planted your flag at all the other places listed in this story. That’s because these other places may try to check your identity records at one or more of the bureaus, and having a freeze in place may interfere with that account creation. YOUR FINANCIAL INSTITUTIONS I can’t tell you how many times people have proudly told me they don’t bank online, and prefer to manage all of their accounts the old fashioned way. I always respond that while this is totally okay, you still need to establish an online account for your financial providers because if you don’t someone may do it for you. This goes doubly for any retirement and pension plans you may have. It’s a good idea for people with older relatives to help those individuals set up and manage online identities for their various accounts — even if those relatives never intend to access any of the accounts online. This process is doubly important for parents and relatives who have just lost a spouse. When someone passes away, there’s often an obituary in the paper that offers a great deal of information about the deceased and any surviving family members, and identity thieves love to mine this information. YOUR GOVERNMENT Whether you’re approaching retirement, middle-aged or just starting out in your career, you should establish an account online at the U.S. Social Security Administration. Maybe you don’t believe Social Security money will actually still be there when you retire, but chances are you’re nevertheless paying into the system now. Either way, the plant-your-flag rules still apply. Ditto for the Internal Revenue Service. A few years back, ID thieves who specialize in perpetrating tax refund fraud were massively registering people at the IRS’s website to download key data from their prior years’ tax transcripts. While the IRS has improved its taxpayer validation and security measures since then, it’s a good idea to mark your territory here as well. The same goes for your state’s Department of Motor Vehicles (DMV), which maintains an alarming amount of information about you whether you have an online account there or not. Because the DMV also is the place that typically issues state drivers licenses, you really don’t want to mess around with the possibility that someone could register as you, change your physical address on file, and obtain a new license in your name. Last but certainly not least, you should create an account for your household at the U.S. Postal Service’s Web site. Having someone divert your mail or delay delivery of it for however long they like is not a fun experience. Also, the USPS has this nifty service called Informed Delivery, which lets residents view scanned images of all incoming mail prior to delivery. In 2018, the U.S. Secret Service warned that identity thieves have been abusing Informed Delivery to let them know when residents are about to receive credit cards or notices of new lines of credit opened in their names. Do yourself a favor and create an Informed Delivery account as well. Note that multiple occupants of the same street address can each have their own accounts. YOUR HOME Online accounts coupled with the strongest multi-factor authentication available also are important for any services that provide you with telephone, television and Internet access. Strange as it may sound, plenty of people who receive all of these services in a bundle from one ISP do not have accounts online to manage their service. This is dangerous because if thieves can establish an account on your behalf, they can then divert calls intended for you to their own phones. My original Plant Your Flag piece in 2018 told the story of an older Florida man who had pricey jewelry bought in his name after fraudsters created an online account at his ISP and diverted calls to his home phone number so they could intercept calls from his bank seeking to verify the transactions. If you own a home, chances are you also have an account at one or more local utility providers, such as power and water companies. If you don’t already have an account at these places, create one and secure access to it with a strong password and any other access controls available. These frequently monopolistic companies traditionally have poor to non-existent fraud controls, even though they effectively operate as mini credit bureaus. Bear in mind that possession of one or more of your utility bills is often sufficient documentation to establish proof of identity. As a result, such records are highly sought-after by identity thieves. Another common way that ID thieves establish new lines of credit is by opening a mobile phone account in a target’s name. A little-known entity that many mobile providers turn to for validating new mobile accounts is the National Consumer Telecommunications and Utilities Exchange, or nctue.com. Happily, the NCTUE allows consumers to place a freeze on their file by calling their 800-number, 1-866-349-5355. For more information on the NCTUE, see this page. Have I missed any important items? Please sound off in the comments below.
Microsoft earlier today released its August 2020 batch of software security updates for all supported versions of its Windows operating systems and other products. This month's Patch Tuesday updates address a total of 120 newly discovered software vulnerabilities, of which 17 are critical, and the rest are important in severity. In a nutshell, your Windows computer can be hacked if you: Play a
New research disclosed a string of severe security vulnerabilities in the 'Find My Mobile'—an Android app that comes pre-installed on most Samsung smartphones—that could have allowed remote attackers to track victims' real-time location, monitor phone calls, and messages, and even delete data stored on the phone. Portugal-based cybersecurity services provider Char49 revealed its findings on
As software eats the world, the world faces a software security crisis. The movement to modern software such as cloud technologies and microservice architectures is essential to innovate quickly. Yet, nearly three in four developers say that security slows down Agile and DevOps. Neither developers nor security teams are to blame. DevOps speed is held back by a 15-year-old, scan-based
Reading Time: ~ 4 min. Even though the 2020 Back to School season may look very different from those in years past, there are a few things that will remain the same. First, since Back to School is often when parents and caregivers stock up on new clothes, tech, and school supplies for students, it’s also when lots show more ...
of stores (especially online retailers) run huge sales. Second, there will be the customary spike in cyberattacks. In fact, the attacks on the Education sector are already up. The latest data from Microsoft shows that the Education sector has recently suffered more encounters with malware (over 5,000,000 in the last 30 days) than any other industry! Since a lot of children and teens will be attending school virtually, either part-time or full-time, they’ll be spending even more time on the internet than they currently do. The more time they spend online, the higher the risk they face. Here are the top threats to watch out for, as well as tips for how to help keep young learners safe during Back to (Virtual) School. Phishing According to Tyler Moffitt, security analyst at Webroot, “phishing isn’t going to go away any time soon. As tactics go, it’s an oldie, but goodie. Times of year when people do more shopping, like Back to School or Christmas, are a big draw for cybercriminals. We always see a spike in phishing during those times. And with more people shopping and streaming online during COVID-19, I’m betting we’ll see even more activity this year than we would normally expect.” To underscore Tyler’s point, the latest intelligence from the Webroot BrightCloud® Real-Time Anti-Phishing service shows that phishing URLs targeting global streaming services have increased significantly. In March 2020 alone, we saw the following increases in phishing URLs, broken out by service: Netflix – 525% increaseYouTube – 3,064% increaseTwitch – 337% increaseHBO – 525% increase Not only should you and your young learner keep an eye out for email scams, but also bear in mind that phishing can happen through a variety of channels. Because many students will end up communicating mostly via online chat, text message (SMS), or social media, it’s important for us all to be extra vigilant about what we click, what we download, and what information we transmit. Zoom-bombing The rise in the use of Zoom and other videoconferencing platforms has also paved the way for malicious actors to cause trouble. While it’s named after Zoom, zoom-bombing as a term refers to the act of intruding on a video conference on any platform and creating a disruption, such as spreading hate speech, displaying pornography, and more. Additionally, Webroot threat researchers have seen videoconference executable files (i.e. the file you run to launch the program) either faked or manipulated so that unwitting victims end up downloading malware. Fake Websites and Spoofing Webroot researchers have seen huge jumps in the number of fake websites out there, particularly those with “COVID” and related terms in their domain names. Tyler also warns us to be on our guard for website spoofing, which is when malicious actors create a fake version of a website that looks like the real thing. “A lot of people will have to access specific websites and online systems for school and related activities,” he says. “Criminals will effectively set traps, so that a mistyped URL or a fake search result could land you on a fake page that looks completely real, only to steal your info or install malware on your system.” How to Keep Yourself and Your Family Safe Here are Tyler’s top tips for staying safe online through Back to School and beyond. Use internet security software. If you haven’t already, install internet security with antivirus on all your devices, especially those that will be used for schoolwork. Don’t forget about using a VPN to protect kids’ internet activity from prying eyes.Update videoconferencing software. Make sure children and teens are always using the most up-to-date versions of Zoom (or any other videoconferencing software) to ensure they have the latest patches to prevent malware distribution and disruptions.Watch out for phishing in all its forms. Talk to kids about phishing. Make sure you all know to look before you click. And remember, phishing scams can look just like a text message from a best friend, classmate, or teacher, so always be wary of messages that ask you to click a link or download a file. Use a secondary means of communication, like a phone call, to verify that these are legitimate.Use your bookmarks. Bookmark all required distance learning pages. Criminals may try to spoof these for phishing, especially if there is a popular portal that many schools use. Using a bookmark, instead of Googling and clicking a search result, will help ensure that your kids are on the right page.Just say ‘no’ to macros. If you or your kids download a document and it asks you to enable macros or enable content, DO NOT DO IT. This is very likely to be a malicious file that will infect your computer.Use a secure backup. When we’re all so reliant on our computers and other internet-connected devices to work and study, it’s extra important to make sure they’re backed up. Nobody wants to lose a term paper or other important documents to a malware infection, hardware failure, damage, loss, or theft. Save yourself the hassle and heartache by investing in backup software. This Back to School season, it’s especially vital that we all do what we can to ensure children and teens have the skills, awareness, and security protocols to stay safe. By following these tips, you can help make sure they stay safe today, tomorrow, and beyond. The post Cybersecurity and Back to (Virtual) School 2020: What You Need to Know appeared first on Webroot Blog.
