Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Can I trust my data ...

 Privacy

Probably everyone has damaged their smartphone, tablet or laptop and needed it repaired at least once in their lives. The cause of the damage may be the users own sloppiness: replacing broken smartphone screens brought countless billions of dollars to the industry. But more often, its just a random malfunction like   show more ...

the battery failing, the hard drive dying, or a key coming off the keyboard. And this can happen at any time. Unfortunately, modern devices are made in such a way that even the handiest of computer wizards are often unable to fix them on their own. The repairability of smartphones is steadily decreasing from year to year. To fix the latest models, it takes not only skill and a general understanding of how all sorts of digital gizmos work; you also now need specialist tools, expertise, and access to documentation plus unique spare parts. Therefore, when a smartphone or laptop breaks, the user usually has little choice other than finding a service center. After all, simply throwing out your broken device, buying another and starting over normally isnt an option because youd probably like to recover all the data that was on it. So, its over to the service center you head. But theres a problem: you have to pass your device into the hands of a stranger. Photos and videos, correspondence and call history, documents and financial information can all end up being directly accessible by somebody you dont know. Can this person be trusted? Homemade porn viewings at repair shops are a thing I personally gave this some serious thought recently after what a friend of mine told me. Hed had an informal chat with some guys working at a small repair shop. They told him without any hesitation how they occasionally held viewings of homemade porn found on the devices they repair for employees and their friends! Similar incidents pop up in the news from time to time. Employees stealing private photos of customers have been found in more than one service center. And sometimes even bigger stories emerge: in one case, service-center employees not only stole photos of female customers for years, but also put together entire collections of them and shared them. But, surely such incidents are exceptions to common practice? Not every service center has staff eager to get their hands on customers personal data, right? Unfortunately, results of a study I recently came across show that breaches of customer privacy by maintenance technicians are a much more common problem than we would all like to think. In fact, it seems highly likely that excessive curiosity on the part of repair staff is a feature of this industry rather than isolated outrageous incidents. But lets not get ahead of ourselves. Ill take you through it all step by step. How electronics repair services treat their customers data A study was conducted by researchers at the University of Guelph in Canada. It consists of four parts, two of them devoted to the analysis of conversations with customers of repair services, and two were field studies in service shops themselves (which I will focus on here). In the first of the field parts, the researchers tried to find out how repair shops treat privacy in terms of their intentions. First and foremost, the researchers were interested in what privacy policies or procedures the service shops had in place to safeguard customers data. To do this, the researchers visited nearly 20 service shops of various types (from small local repairers to regional and national service providers). The reason for each visit was to replace the battery in an ASUS UX330U laptop. The reason behind the choice of malfunction was simple: diagnosing the problem and solving it does not require access to the operating system, and all the necessary tools for this are in the laptops UEFI (the researchers use the old-fashioned term BIOS). The researchers visits to the service centers involved several steps. First, they looked for any information readily available to the customer regarding the service centers data privacy policy. Second, they checked to see if the employee taking the device would request the username and password to log in to the operating system and, if so, how they would justify the need to hand that information over (theres no obvious reason for this because, as stated, battery replacement doesnt require access to the operating system). Third, the researchers noted how the password for the device being handed over for repair was stored. Finally, fourth, they asked the employee accepting the equipment a direct and unambiguous question: How do you make sure no one will access my personal data? to find out what privacy policies and protocols were in place. The results of this part of the study were disappointing. None of the service shops visited by the researchers informed the customers about any respective privacy policy before accepting the device. Except for a single regional center, all services asked for the login password – arguing that its simply required for either diagnostics or repair, or to check the quality of provided services (which, as mentioned above, isnt the case). When asked if it was possible to perform battery replacement without a password, all three national providers replied no. At five smaller services they said that without a password they wouldnt be able to check the quality of work carried out and therefore refused to take responsibility for the results of the repair. Another shop suggested removing the password altogether if the customer didnt want to share it! And finally, the last shop visited said that if theyre not given the password the device could be reset to factory settings should the maintenance technician need to do so. As for storage of credentials, in almost all cases they were stored in an electronic database along with the customers name, phone number and e-mail address, but there was no explanation as to who could access this database. In about half of cases, the credentials were also physically attached to the laptop handed over for repair. It was either printed out and attached as a sticker (in the case of larger services), or simply handwritten on a sticky note – thats classic! Thus, it would appear that any of the employees of the service shops (maybe even casual visitors too) could have access to the passwords. When asked how data privacy would be guaranteed, the employee who accepted the device and other repair staff gave assurances that only the technician repairing the device would have access to it. However, further inquiries showed that there was no mechanism that could guarantee this; only their word was to be had on this. So what do maintenance technicians do with customers personal data? Having found out that the service centers have no mechanisms to curb the curiosity of their specialists, in the next part of the study, the researchers began examining what actually happens to a device after its handed over for repair. To do this, they bought six new laptops and simulated a basic problem with the audio driver on them. They simply turned it off. Therefore, the repair needed just superficial diagnostics and quickly fixing the problem by turning it on. This particular malfunction was chosen since, unlike other services (such as removing viruses from the system), fixing the audio driver requires no access to user files whatsoever. The researchers made up fictitious user identities on the laptops (male users in the first half of the experiment and female users in the second half). They created a browser history, email and gaming accounts, and added various files – including photos of the experimenters. Also added was the first bait: a file with the credentials to a cryptocurrency wallet. The second bait was a separate folder containing mildly explicit images. The researchers used real female-coded pictures from Reddit users for the experiment (after having obtained consent beforehand, of course). Finally, and most importantly, before the laptops were handed over to the service, the researchers turned on the Windows Problem Steps Recorder utility, which records every action performed on the device. After that, the laptops were passed on for repair to 16 service centers. Again, to get a complete picture, the researchers visited both small local services and centers of major regional or national providers. The genders of the customers were evenly distributed: in eight cases devices were configured with a fictional female persona, and in the other eight – with a male one. Heres what the researchers found out: Despite its simplicity, the problem with the audio driver was solved in the customers presence after a short wait in just two cases. In all other experiments, the laptops had to be left until at least the next day. And the service centers of national service providers kept them in for repair for at least two days. For two local services, it wasnt possible to collect the logs of the repair staffs actions. In one case, a plausible reason for this couldnt be found. In the other, the researchers were told that maintenance technicians had to run antivirus software on the device and cleanup its disk due to multiple viruses (the researchers were absolutely sure that at the time of drop-off, the laptop could not have been infected). In the other cases, the researchers were able to explore the logs; here are their findings: Among the remaining logs, the researchers found six cases where the repairers gained access to personal files or browser history. In four cases, this was recorded on the females' laptops; the other two – on the males' ones. In half of the incidents, curious service center employees tried to hide traces of their actions by clearing the list of most recently opened Windows files. The repair staff were most interested in image folders. Their contents (including explicit photos) were viewed in five cases. Four of the laptops in these cases belonged to females, the other – to male. Browser history was the subject of interest for two laptops – both belonging to males. Financial data was viewed once – on a males device. In two cases, user files were copied by maintenance technicians to an external device. Both times, they were explicit photos, and in one case, the aforementioned financial data was added. In about half of all cases, service-center employees gained access to user files. They were almost always interested in pictures – including explicit photos How to protect yourself from nosy maintenance technicians Of course, it should be borne in mind that this is a Canadian study. It wouldnt be right to project its results onto all countries. Nevertheless, I somehow doubt that the situation generally around the world is much better. Its likely that service centers in most countries, just as in Canada, have no cogent mechanisms in place to prevent their employees from violating customer privacy. And its also likely that such employees take advantage of the lack of restrictions set by their employers to pry into customers personal data – especially that of women. So, before you take your device to the service center, its worth doing a little preparation: Be sure to make a complete backup of all data contained on the device to an external storage device or to the cloud (if possible, of course). Its standard practice for service centers to make no guarantees as to the safety of customer data, so you may well lose valuable files in the course of a repair. Ideally, your device should be completely cleared of all data and reset to factory settings before taking it in for repair. For example, this is exactly what Apple recommends doing. If clearing and preparing the device for service isnt possible (for example, your smartphones display is broken), then try to find a service that will do everything quickly and directly in front of you. Smaller centers are usually more flexible in this regard. As for laptops, it may be sufficient to hide all confidential information in a crypto container (for instance, using a security solution), or at least in a password-protected archive. Owners of Android smartphones should use the app locking feature in Kaspersky Premium for Android. It allows to lock all your apps using a separate pin code thats in no way related to the one used to unlock your smartphone.

image for A Serial Tech Invest ...

 A Little Sunshine

John Clifton Davies, a 60-year-old con man from the United Kingdom who fled the country in 2015 before being sentenced to 12 years in prison for fraud, has enjoyed a successful life abroad swindling technology startups by pretending to be a billionaire investor. Davies’ newest invention appears to be   show more ...

“CodesToYou,” which purports to be a “full cycle software development company” based in the U.K. The scam artist John Bernard a.k.a. Alan John Mykailov (left) in a recent Zoom call, and a mugshot of John Clifton Davies from nearly a decade earlier. Several articles here have delved into the history of John Bernard, the pseudonym used by a fake billionaire technology investor who tricked dozens of startups into giving him tens of millions of dollars. John Bernard’s real name is John Clifton Davies, a convicted fraudster from the United Kingdom who is currently a fugitive from justice. For several years until reinventing himself again quite recently, Bernard pretended to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago. “The Private Office of John Bernard” let it be known to investment brokers that he had tens of millions of dollars to invest in tech startups, and he attracted a stream of new victims by offering extraordinarily generous finder’s fees to brokers who helped him secure new clients. But those brokers would eventually get stiffed because Bernard’s company would never consummate a deal. John Bernard’s former website, where he pretended to be a billionaire tech investor. Bernard would promise to invest millions in tech startups, and then insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called The Inside Knowledge GmbH — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money. A variety of clues suggest Davies has recently adopted at least one other identity — Alan John Mykhailov — who is listed as chairman of a British concern called CodesToYou LTD, incorporated in May 2022. The CodesToYou website says the company employs talented coders in several countries, and that its programmers offer “your ultimate balance between speed, cost and quality.” The team from CodesToYou. In response to questions from KrebsOnSecurity, CodesToYou’s marketing manager — who gave their name only as “Zhena” — said the company was not affiliated with any John Bernard or John Clifton Davies, and maintained that CodesToYou is a legitimate enterprise. But publicly available information about this company and its leadership suggests otherwise. Official incorporation documents from the U.K.’s Companies House represent that CodesToYou is headed by an Alan John Mykhailov, a British citizen born in March 1958. Companies House says Mykhailov is an officer in three other companies, including one called Blackstone Corporate Alliance Ltd. According to the Swiss business tracking service business-monitor.ch, Blackstone Corporate Alliance Ltd. is currently the entity holding a decision-making role in John Bernard’s fake due diligence company — The Inside Knowledge GmbH — which is now in liquidation. A screen shot of the stock photos and corporate-speak on John Bernard’s old website. Image: Archive.org Also listed as a partner in Blackstone Corporate Alliance Limited is Igor Hubskyi (a.k.a. Igor Gubskyi), a Ukrainian man who was previously president of The Inside Knowledge GmbH. The CodesToYou website says the company’s marketing team lead is Maria Yakovleva, and the photo of this employee matches the profile for the LinkedIn account name “Maria Y.” That same LinkedIn profile and photo previously listed Maria by a different first and last name — Mariya Kulikova; back then, Ms. Kulikova’s LinkedIn profile said she was an executive assistant in The Private Office of Mr. John Bernard. Companies House lists Alan John Mykhailov as a current officer in two other companies, including Frisor Limited, and Ardelis Solutions Limited. A cached copy of the now-defunct Ardelis Solutions website says it was a private equity firm. CodesToYou’s Maria also included Ardelis Solutions in the work history section of her LinkedIn resume. That is, until being contacted by this author on LinkedIn, after which Maria’s profile picture and any mention of Ardelis Solutions were deleted. Listed as head of business development at CodesToYou is David Bruno, a Canadian man whose LinkedIn profile says he is founder of an organization called “World Privacy Resource.” As KrebsOnSecurity reported in 2020, Bruno was at the time promoting himself as the co-CEO of a company called SafeSwiss Secure Communication AG, and the founder of another tech startup called Secure Swiss Data. Secure Swiss Data’s domain — secureswissdata.com — is a Swiss concern that sells encrypted email and data services. According to DomainTools.com, that website name was registered in 2015 by The Inside Knowledge GmbH. In February 2020, a press release announced that Secure Swiss Data was purchased in an “undisclosed multimillion buyout” by SafeSwiss Secure Communication AG. A cached copy of the Ardelis Solutions website, which said it was a private equity firm and included similar stock images as John Bernard’s investment website. When reached in 2020 and asked about his relationship to Mr. Bernard, Mr. Bruno said the two were business partners and that he couldn’t imagine that Mr. Bernard would be involved in anything improper. To this day Mr. Bruno is the only person I’ve spoken to who has had anything positive to say about Mr. Bernard. Mr. Bruno did not respond to requests for comment this time around, but his LinkedIn profile no longer makes any mention of Secure Swiss Data or SafeSwiss — both companies he claimed to run for many years. Nor does it mention CodesToYou. However, Mr. Bruno’s former company SafeSwiss is listed as one of the six “portfolio” companies whose services are promoted on the CodesToYou website. In mid-2021, Bruno announced he was running for public office in Ontario. “The Kenora resident is no stranger to the government as he contributed to Canada’s new Digital Charter, Bill C-11, which is a new Cyber Security policy,” reported Drydennow.com, a news website that covers Northwestern Ontario. Drydennow says the next federal election is expected to be held on or before Oct. 16, 2023. John Clifton Davies was convicted in 2015 of swindling businesses throughout the U.K. that were struggling financially and seeking to restructure their debt. For roughly six years, Davies ran a series of firms that pretended to offer insolvency services, but instead simply siphoned what little remaining money these companies had. The very first entity mentioned in the technology portfolio advertised on the CodesToYou website is called “MySolve,” and it purports to offer a “multi-feature platform for insolvency practitioners.” Mr. Davies’ fourth wife, Iryna Davies, is listed as a director of one of the insolvency consulting businesses in the U.K. that was part of John Davies’ 2015 fraud conviction. Prior to his trial for fraud, Davies served 16 months in jail before being cleared of murdering his third wife on their honeymoon in India: Colette Davies, 39, died after falling 80 feet from a viewing point at a steep gorge in the Himachal Pradesh region of India. Mr. Davies was charged with murder and fraud after he attempted to collect GBP 132,000 in her life insurance payout, but British prosecutors ultimately conceded they did not have enough evidence to convict him. The scams favored by Davies and his alter egos are smart because he never approaches investors directly; rather, investors are incentivized to put his portfolio in front of tech firms seeking financial backing. And all the best cons begin as an idea or possibility planted in the target’s mind. It’s also a reliable scam because companies bilked by small-time investment schemes rarely pursue legal action, mainly because the legal fees involved can quickly surpass the losses. On top of that, many victims will likely be too ashamed to admit their duping. Victims who do press their case in court and win then face the daunting challenge of collecting damages from a slew of ephemeral shell corporations. The latest Bernard victim to speak publicly — a Norwegian company hoping to build a fleet of environmentally friendly shipping vessels — is now embroiled in a lawsuit over a deal gone bad. As part of that scam, Bernard falsely claimed to have secured $100 million from six other wealthy investors, including the founder of Uber and the artist Abel Makkonen Tesfaye, better known as The Weeknd. If you liked this story, check out my previous reporting on John Bernard/Davies: Due Diligence That Money Can’t Buy Who is Tech Investor John Bernard? Promising Infusions of Cash, Fake Investor John Bernard Walked Away With $30 Million Investment Scammer John Davies Reinvents Himself? Fake Investor John Bernard Sinks Norwegian Green Shipping Dreams

 Trends, Reports, Analysis

Cofense released a report around the top phishing trends from 2022 and found that attackers largely preferred credential phishing as their primary attack method. The use of malware in these attacks increased by 44%, with Emotet and Qakbot being the most used malware families. Moreover, the total volume of scam URLs increased by 30% between 2021 and 2022.

 Threat Actors

Researchers discovered that a series of cyberespionage attacks launched by the subgroups of Earth Preta APT has affected over 200 organizations. While part of these subgroups is focused on stealing intellectual property and business information, others target government and diplomatic entities.

 Breaches and Incidents

The hackers convinced the wife of a serving colonel in the Russian military to participate in a patriotic photoshoot. She then convinced 12 more military wives to join, which allowed them to extract personal and sensitive information.

 Govt., Critical Infrastructure

The UK’s Information Commissioner’s Office (ICO) has called for “serious improvements” to data protection processes for organizations handling information on HIV sufferers, after reprimanding an NHS body.

 Threat Actors

The Winter Vivern APT group was seen abusing a bug in the Zimbra Collaboration software to obtain secrets from the email inboxes of government agencies in European countries. The group uses scanning technologies like Acunetix to find unpatched webmail portals to attack potential victims. The XSS bug, CVE-2022-27926, impacts Zimbra Collaboration version 9.0.0.

 Social Media Threats

Under intense scrutiny from Washington that could lead to a potential ban, the top attorney for TikTok and its Chinese parent company ByteDance defended the social media platform’s plan to safeguard U.S. user data from China.

 Trends, Reports, Analysis

Much of the data in the cloud is unstructured and highly vulnerable to cyber threats. Unstructured data can include anything from emails and FedEx receipts to sensor data and social media feeds.

 Breaches and Incidents

An update released to the “My services” dashboard on March 20 resulted in the data breach, Service NSW chief executive officer Greg Wells said in an email to affected customers shared with AAP on Monday.

 Feed

Ubuntu Security Notice 5994-1 - It was discovered that HAProxy incorrectly initialized certain connection buffers. A remote attacker could possibly use this issue to obtain sensitive information.

 Feed

Ubuntu Security Notice 5993-1 - Demi Marie Obenour discovered that the Samba LDAP server incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information. Andrew Bartlett discovered that the Samba AD DC admin tool   show more ...

incorrectly sent passwords in cleartext. A remote attacker could possibly use this issue to obtain sensitive information.

 Feed

GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP (IPv4 and IPv6), TCP (IPv4 and IPv6), HTTP, or SMTP messages.   show more ...

GNUnet supports accounting to provide contributing nodes with better service. The primary service build on top of the framework is anonymous file sharing.

 Feed

Ubuntu Security Notice 5992-1 - Demi Marie Obenour discovered that ldb, when used with Samba, incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information.

 Feed

Ubuntu Security Notice 5966-3 - USN-5966-1 fixed vulnerabilities in amanda. Unfortunately that update caused a regression and was reverted in USN-5966-2. This update provides security fixes for Ubuntu 22.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.

 Feed

Red Hat Security Advisory 2023-1533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, buffer overflow, bypass, and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2023-1516-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9,   show more ...

and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.

 Feed

A piece of new information-stealing malware called OpcJacker has been spotted in the wild since the second half of 2022 as part of a malvertising campaign. "OpcJacker's main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes," Trend Micro researchers

 Feed

Data storage devices maker Western Digital on Monday disclosed a "network security incident" that involved unauthorized access to its systems. The breach is said to have occurred on March 26, 2023, enabling an unnamed third party to gain access to a "number of the company's systems." Following the discovery of the hack, Western Digital said it has initiated incident response efforts and enlisted

 Feed

The Italian data protection watchdog, Garante per la Protezione dei Dati Personali (aka Garante), has imposed a temporary ban of OpenAI's ChatGPT service in the country, citing data protection concerns. To that end, it has ordered the company to stop processing users' data with immediate effect, stating it intends to investigate the company over whether it's unlawfully processing such data in

 Feed

Privileged Access Management (PAM) solutions are regarded as the common practice to prevent identity threats to administrative accounts. In theory, the PAM concept makes absolute sense: place admin credentials in a vault, rotate their passwords, and closely monitor their sessions. However, the harsh reality is that the vast majority of PAM projects either become a years-long project, or even

2023-04
Aggregator history
Monday, April 03
SAT
SUN
MON
TUE
WED
THU
FRI
AprilMayJune