GDPR privacy law exploited to reveal personal data

About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.

The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account logins and passwords, and the target's full US social security number.

University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

- a UK hotel chain that shared a complete record of his partner's overnight stays

- two UK rail companies that provided records of all the journeys she had taken with them over several years

- a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

Mr Pavur has, however, named some of the companies that he said had performed well.

Chinese Hackers Attacked Eight Major Technology Service Providers




Eight largest technology service providers were attacked by the hackers of China’s Ministry of State Security; they attempted to access sensitive commercial information and secrets from their clients across the world.

In December, last year, a vicious operation was outlined in formal charges filed in the U.S.; it was designed to illegally access the Western intellectual property with motives of furthering China’s economic interests.

According to the findings made by Reuters, the list of the compromised technology service providers include Tata Consultancy Services, Dimension Data, Hewlett Packard Enterprise, Computer Sciences Corporation, HPE’s spun-off services arm, IBM, DXC Technology, Fujitsu and NTT Data.

Furthermore, various clients of the service providers such as Ericsson also fall prey to the attack.
However, IBM previously stated that it lacks evidence on any secret commercial information being compromised by any of these attacks.

Referencing from the statements given by HPE, they worked diligently for their “customers to mitigate this attack and protect their information.” Meanwhile, DXC told that it had, “robust security measures in place” in order to keep their clients secure.

Commenting on the matter and denying the accusations and any sort of involvement in the attacks, the Chinese government said, “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets,”

“While there have been attacks on our enterprise network, we have found no evidence in any of our extensive investigations that Ericsson’s infrastructure has ever been used as part of a successful attack on one of our customers,” a spokesperson of Ericsson told as the company said, it doesn’t comment on specific cybersecurity matters.




A Critical Vulnerability Assisting Attackers in Gaining Access to Live Video Streaming




Researchers discover a rather critical vulnerability in the D-Link cloud camera that enabled attackers to hijack and intercept the camera in order to gain access to the live video streaming as well as recorded videos by means of communicating over unencrypted channel between the camera and the cloud and between the cloud and the client-side viewer app.

The communication request between the application and the camera built up over a proxy server utilizing a TCP tunnel which is the only place the traffic is encrypted. This blemish enables an attacker to play out a Man-in-the-Middle attack and intercept the said connection with the intend to spy on the victims' video streams.


 Rest of the sensitive content, like the camera IP and MAC addresses, version information, video and audio streams, and the extensive camera information are going through the unencrypted tunnel.

The vulnerability dwells in D-Link customized open source boa web server source code file called request.c which is dealing with the HTTP solicitation to the camera. For this situation, all the approaching HTTP demands or requests that handle by this file elevated to admin enabling the attacker to gain a total device access.

According to ESET Research, “No authorization is needed since the HTTP requests to the camera’s web server are automatically elevated to admin level when accessing it from a localhost IP (viewer app’s localhost is tunneled to camera localhost).”

What's more, this weakness lets the hackers to supplant the real firmware with their own fixed or backdoored variant.

An attacker, who is sitting amidst the system traffic between the viewer application and the cloud or between the cloud and the camera, can see the HTTP demands or requests for the video and audio packets utilizing the data stream of the TCP connection on the server and accordingly answer and recreate these captured packets whenever wherever.



A2 Hosting finds 'restore' the hardest word as Windows outage slips into May

The great A2 Hosting Windows TITSUP has entered its second week as the company continues to struggle to recover from a security breach that forced its System Operations team to shut down all its Windows services.

To recap, things went south on 23 April as malware spread over the company's Windows operation, causing a problem so severe that the A2 Hosting team decided the only way to recover was to restore data from backups. The company told furious customers last week that "Restores continue to progress at a steady pace".

Except, alas, things have not gone smoothly.

As some services gradually tottered into life, users made the horrifying discovery that the backups being restored from were less than minty fresh.

A "day or two" is bad enough for an ecommerce site, but the loss of several months' worth of data is an altogether angrier bag of monkeys. To make matters worse, the company has left it to users to work out just how whiffy those backups are.

Register reader David Sapery, who was lucky enough to see his services stagger back to life after a five-day liedown, was then somewhat embarrassed when his customers, finally able to access his sites, told him things looked a tad outdated.

Sapery told us: "Anything on any of my websites that was updated over the past 2+ months is gone."

Still, Sapery was at least able to recover. Another reader was not so lucky, describing his experience as "an unmitigated disaster."

Having spent eight months and "thousands of dollars", the unfortunate A2 Hosting customer told us that "my business and all my hard work has been gutted within seven days by a hosting company that clearly did not have robust security in place."

A2 Hosting will, of course, point to its Terms of Service where it makes it quite clear that it is not responsible for any data loss and that users are responsible for their own backups.

Security breached of Ayushman Bharat

Ayushman Bharat, the government run health insurance programme, on Saturday confirmed that there had been an attempted security breach. “There have been attempts to get illegal access to large medical data including sensitive personal information,’’ said Dr. Indu Bhushan, CEO Ayushman Bharat - Pradhan Mantri Jan Arogya Yojana.

Alerted about the intrusion 48 hours ago, the National Health Authority — which administers the programme — has now written to all State Governments alerting them about the threat and warning that no sensitive data be shared.

Describing the nature of the attempted breach, Dr. Bhushan said contact had been made with Ayushman Bharat employees urging them to leak sensitive information on the available health profiles of those covered by the scheme.

With more than 3 crore e-cards issued countrywide to individuals covered under the scheme and over 21 lakh hospital admissions, worth ₹2,820 crore, having been approved, the scheme is one of the world’s largest state-run health insurance programmes, according to the government. Health data is extremely sensitive and of great value to commercial and pharmaceutical companies.

“We have this data enveloped in multiple layers of security which is tough to penetrate,” explained Dr. Bhushan. “We also have a stringent access system for those within Ayushman Bharat and we were alerted, almost immediately, when the breach was attempted,’’ he said.

The authority is now also seeking assistance from the public to help ensure that the programme stays cybersecure and that patient data and records are not compromised in any manner.

“We are making a public appeal to please report such cases to @AyushmanNHA at the earliest for proper investigation and actions to mitigate any potential risk,’’ Dr. Bhushan said.

Ayushman Bharat has also had to combat multiple attempts to defraud individuals and companies “using our programmes as a disguise,” said an official, who spoke on condition of anonymity. “People have been offered jobs and some have even been duped saying that we charge for registration. All of this is illegal,’’ the official added.

Facebook leaks millions of Instagram passwords

2018 – What a year was it for Facebook! Data scandals and security leaks, issues from Cambridge Analytica and trails by authorities, Facebook have gone under every shit it’s connected with.

And the problems just keep coming in 2019. And in this year, it seemed to have enough already by internal probs, where is announced in a blog post last month saying, “Millions of users passwords were stored in a readable format in their databases!”

Just a day after the social networking giant admitted that it "unintentionally" uploaded email contacts of nearly 1.5 million of new users, Facebook has now revealed that it exposed millions of Instagram users' passwords in a data-security lapse. The password exposure is part of the security breach that was first reported last month by Krebs on Security. Admitting the security blunder, Facebook has said that the company it stored passwords of millions of users in plain text on its internal servers.

However, at that time Facebook claimed that “hundreds of millions of Facebook Lite users” and “tens of millions of other Facebook users” have been affected. Incidentally, the company has chosen just to update the old blog post while making the new revelation. "This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way," a Facebook spokesperson said in a statement. Here's all you need to know about this latest 'password leak' from Facebook ...

The process was unintentional – according to Facebook – and happened when users were prompted for their password as part of a security verification process. It's been going on since May 2016 but Facebook says its now deleting all the scraped data.

In the updated post Facebook says: We will be notifying these users as we did the others.

Hidden for 5 years, complex ‘TajMahal’ spyware discovered

It's not every day that security researchers discover a new state-sponsored hacking group.

Spyware is inherently intriguing primarily because of the complexity that allows it to carry out its malicious plans, and breaking them down is something that security researchers have to do on a regular basis. However, a unique form of spyware with a phenomenal 80 different components and all kinds of tricks has been discovered by a group of analysts after it. Also, this spyware had been under wraps for more than five years.

A technically sophisticated cyberespionage framework that has been active since at least 2013 has been outed by security researchers.

In a recent talk at the Kaspersky Security Analyst Summit in Singapore, researcher Alexey Shumin shed light on the firm’s groundbreaking discovery of an adaptable Swiss Army spyware framework called TajMahal.

Security researchers still aren't sure who's behind the versatile TajMahal spyware—or how they went undetected for so long. ‘TajMahal’ modules and bundles functionality which have never been before seen in an advanced persistent threat, such as the ability to steal information from printer queues and to grab previously seen files from a USB device the next time it reconnects. And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state hacker group.

The 80 distinct modules include not just the standard ones like keylogging and screen-grabbing but also completely new tools.

TajMahal include two main packages: ‘Tokyo’ and ‘Yokohama’. Tokyo contains the main backdoor functionality, and periodically connects with the command and control servers.

TajMahal is a wonder to behold.

"Such a large set of modules tells us that this APT is extremely complex," Shulmin wrote in an email interview ahead of his talk, using the industry jargon—short for advanced persistent threat—to refer to a sophisticated hackers who maintain long-term and stealthy access to victim networks. "TajMahal is an extremely rare, technically advanced and sophisticated framework, which includes a number of interesting features we have not previously seen in any other APT activity. Coupled with the fact that this APT has a completely new code base—there are no code similarities with other known APTs and malware—we consider TajMahal to be special and intriguing."

Facebook leaves passwords unencrypted



Facebook said there is no evidence its employees abused access to this data. The company said the passwords were stored on internal company servers, where no outsiders could access them. However, privacy experts suggested that users change their passwords.

The security slip left the passwords readable by the social networking giant's employees.

The issue was first reported by security researcher Brian Krebs, who published a blog post-Thursday detailing that Facebook employees built applications that captured the passwords of users and stored them as plain text, meaning a password would be readable just the same as it is entered to log in.

The blunder was uncovered during a routine security review early this year, according to Canahuati.

"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them," vice president of engineering, security, and privacy Pedro Canahuati said.

"As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems," Pedro Canahuati, vice president of engineering for security and privacy at Facebook, wrote in a blog post. "This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable."

Most companies encrypt passwords to prevent them from being stolen in the event of a data breach or used for nefarious purposes by company employees.

The incident reveals yet another huge and basic oversight at a company that insists it is a responsible guardian for the personal data of its 2.3 billion users worldwide.

By storing passwords in readable plain text, Facebook violated fundamental computer-security practices. Those call for organizations and websites to save passwords in a scrambled form that makes it almost impossible to recover the original text. The blunder was uncovered during a routine security review early this year, according to Canahuati. 

Google’s Nest Secure had a built-in microphone no one knew about


After the hacking fiasco a few weeks ago, Nest users have been more on edge about their security devices than ever before. The recent discovery of a built-in, hidden microphone on the Nest Guard, part of the Nest Secure security system, has only served to further exacerbate those concerns.

Alphabet Inc's Google said on February 20 it had made an "error" in not disclosing that its Nest Secure home security system had a built-in microphone in its devices.

Consumers might never have known the microphone existed had Google not announced support for Google Assistant on the Nest Secure. This sounds like a great addition, except for one little problem: users didn’t know their Nest Secure had a microphone. None of the product documentation disclosed the existence of the microphone, nor did any of the packaging.

Earlier this month, Google said Nest Secure would be getting an update and users could now enable its virtual assistant technology Google Assistant on Nest Guard.

A microphone built into its Nest Guard alarm/motion sensor/keypad wasn't supposed to be a secret, Google said after announcing Google Assistant support for the Nest Secure system but the revelation that Google Assistant could be used with its Nest home security and alarm system security was a surprise.

“The on-device microphone was never intended to be a secret and should have been listed in the tech specs. That was an error on our part. The microphone has never been on and is only activated when users specifically enable the option,” Google said.

Google’s updated product page now mentions the existence of the microphone.

If your first thought on hearing this news is that Google was spying on you or doing something equally sinister, you aren’t alone. Ray Walsh, a digital privacy expert at BestVPN.com, said “Nest’s failure to disclose the on-board microphone included in its secure home security system is a massive oversight. Nest’s parent company Google claims that the feature was only made available to consumers who activated the feature manually. Presumably, nobody did this; because the feature wasn’t advertised.

Artificial Intelligence Is What’s Protecting Your Microsoft, Google And Similar Accounts





Artificially intelligent systems are quite on the run these days. The new generation believes a lot in the security system which evolves with the hackers’ trickery.

Microsoft, Google, Amazon, and numerous other organizations keep the faith in artificially intelligent security systems.

Technology based on rules and designed to avert only certain and particular kinds of attacks has gotten pretty old school.

There is a raging need for a system which comprehends previous behavior of hacking or any sort of cyber attacks and acts accordingly.

According to researchers, the dynamic nature of machines, especially AI makes it super flexible and all the more efficient in terms of handling security issues.

The automatic and constant retaining process certainly gives AI an edge over all the other forms.

But, de facto, hackers are quite adaptable too. They also usually work on the mechanical tendencies of the AI.

The basic way they go around is corrupting the algorithms and invading the company’s data which is usually the cloud space.

Amazon’s Chief Information Security Officer mentioned that via the aforementioned technology seriously aids in identifying threats at an early stage, hence reducing the severity and instantly restoring systems.

He also cited that despite the absolute aversion of intrusions being impossible, the company’s working hard towards making hacking a difficult job.

Initially, the older systems used to block entry in case they found anything suspicious happening or in case of someone logging in from an unprecedented location.

But, due to the very bluntness of the security system, real and actual users get to bear the inconvenience.

Approximately, 3% of the times, Microsoft had gotten false positives in case of fake logins, which in a great deal because the company has over billions of logins.

Microsoft, hence, mostly calculates and analyzes the technology through the data of other companies using it too.
The results borne are astonishing. The false positive rate has gotten down to 0.001%.

Ram Shankar Siva Kumar, who’s Microsoft’s “Data Cowboy”, is the guy behind training all these algorithms. He handles a 18-engineer team and works the development of the speed of the system.

The systems work efficiently with systems of other companies who use Microsoft’s cloud provisions and services.

The major reason behind, why there is an increasing need to employ AI is that the number of logins is increasing by the day and it’s practically impossible for humans to write algorithms for such vast data.

There is a lot of work involved in keeping the customers and users safe at all times. Google is up and about checking for breachers, even post log in.

Google keeps an eye on several different aspects of a user’s behavior throughout the session because an illegitimate user would act suspiciously for sure, some time or the other.

Microsoft and Amazon in addition to using the aforementioned services are also providing them to the customers.

Amazon has GuardDuty and Macie which it employs to look for sensitive data of the customer especially on Netflix etc. These services also sometimes monitor the employees’ working.

Machine learning security could not always be counted on, especially when there isn’t enough data to train them. Besides, there is always a worry-some feeling about their being exploited.

Mimicking users’ activity to degrade algorithms is something that could easily fool such a technique. Next in line could be tampering with the data for ulterior purposes.

With such technologies in use it gets imperative for organizations to keep their algorithms and formulae a never-ending mystery.

The silver lining though, is that such threats have more of an existence on paper than in reality. But with increasingly active technological innovation, this scenario could change at any time.




Bengaluru Techie Blackmailed To Transfer $2,200 through Bitcoin




In Bengaluru, a hacker claimed he'd utilized a techie's webcam to record his private moments and coerced him, thusly threatening him to transfer $2,200 through bitcoin. Rajesh (name changed), a techie in a multinational software organization on Bannerghatta Road, Bengaluru, received an email which further instructed him to transfer the said amount.

The mail was sent by the hacker,the handle being  'Coy Lynch'  and the mail id as 'hkrawllmerjoc@outlook.com'.

The hacker asserted he had placed malware on specific sites that Rajesh used to visit and had hacked into his camera, hence recording him. The blackmailer even debilitated to destroy him by sending the recorded footage to every one of those on Rajesh's contact list and relatives on the off chance that he refused to do what was asked of him.

Rajesh told STOI, “I checked whether my contact details or personal information was breached. I found that my personal account information was breached from nine sources, including three verified sources. I’m sure he doesn’t have any private video of mine but it’s possible to do it. This has been reported elsewhere. It’s happening here now — blackmail and extortion has started by compromising password.”

Luckily, Rajesh posted a copy of the mail on the Facebook page of Bengaluru police, who are yet to make progress for this case, yet despite everything they haven't discounted the mind-games played by online fraudsters to coerce cash by asserting to have taken control of the victim's laptops or cell phones by utilizing malware.