Search This Blog

Showing posts with label Privacy. Show all posts

TV Equipment Used To Eavesdrop On Sensitive Satellite Communications


With just £270 ($300) of home television equipment an Oxford University-based security researcher caught terabytes of real-world satellite traffic including sensitive information from “some of the world’s largest organizations.”

The news comes as the number of satellites in the orbit is said to have an increment from around 2,000 today to more than 15,000 by 2030. James Pavur, a Rhodes Scholar and DPhil student at Oxford will detail the attack in a session at the Black Hat security conference toward the beginning of August.

Alongside it Pavur will demonstrate that, "under the right conditions" attackers can easily hijack active meetings by means of the satellite link, a session overview revealed.

While full details of the attack won't be uncovered until the Black Hat conference, a 2019 conference paper published by Pavur gives a 'sneak peek' into a small part of the challenges of security in the satellite communications space.

It seems to all come down into the absence of encryption-in-transit for satellite-based broadband communications.

The May 2019 paper (“Secrets in the Sky: On Privacy and Infrastructure Security in DVB-S Satellite Broadband“) notes: “Satellite transmissions cover vast distances and are subject to speed-of-light latency effects and packet loss which can impair the function of encryption schemes designed for high-reliability terrestrial environments (e.g. by requiring re-transmission of corrupted key materials). Moreover, satellites themselves are limited in terms of computing capabilities, and any on-board cryptographic operation risks trading off with other mission functionality.”

It additionally uncovers how a small portion of the eavesdropping in was led utilizing a “75 cm, flat-panel satellite receiver dish and a TBS-6983 DVB-S receiver….configured to receive Ku-band transmissions between 10,700 MHz and 12,750 MHz”

Pavur grabbed sensitive communications using tools costing less than $300, including a Selfsat H30D Satellite Dish, a TBS 6983 Satellite PCI-E, and a three-meter coaxial cable.

Pavur even focuses on the Digital Video Broadcasting-Satellite (DVB-S) and DVB-S rendition 2 protocols, which transmit information in MPEG-TS format. The paper includes: "A collection of Python utilities… was used to analyze each of these transponders for signs of DVB-based internet transmissions.”

The 2018 experiment takes note of that through manual review of the intercepted traffic, the security researchers distinguished "[traffic] flows associated with electrical power generation facilities”

“Vulnerable systems administration pages and FTP servers were publicly routable from the open internet. This means that an attacker could sniff a session token from a satellite connection, open a web browser, and log in to the plant’s control panel…”

Alongside further details on the attack, Pavur will at Black Hat present an “open-source tool which individual customers can use to encrypt their traffic without requiring ISP involvement.”


Is A Cheap Phone Worth The Cost Of Your Privacy?


There is absolutely no room for doubt that Chinese manufacturers offer an excess of affordable gadgets with extraordinary specs to boot, in fact,  Xiaomi would most likely be among the brands that you would consider when searching for a decent deal.

However, a few recent revelations put its privacy practices into question.

Security researchers Gabriel Cirlig and Andrew Tierney while speaking to Forbes guaranteed that Xiaomi's web browsers gather an 'over the top' amount of information even in incognito mode. This purportedly incorporated all URLs and search queries made in the stock MIUI browser, just as Mi Browser Pro and Mint Browser.

When combined, these programs have in excess of 15 million downloads on the Google Play Store. As per Forbes, “The device was also recording what folders had been opened and to which screens the user swiped, including the status bar and the settings page.”

Tierney later following up on Xiaomi's blog post with a Twitter thread defending the primary findings with additional evidence. In a said blog post, the Chinese manufacture guaranteed every single data gathered is anonymized and that its practices are the same as the industry standard.

Notwithstanding, not long subsequent to issuing the statement, Xiaomi pushed an update to its browsers, permitting users to 'toggle off’ data collection in incognito mode.

Xiaomi guarantees that all information it gathers is anonymized, in spite of the fact that this has been questioned by the discoveries of the security researchers.

However, regardless of whether Xiaomi's side is thought about in this contention, there has been proof that some anonymized information can still be traced back to the users. The New York Times proved this with anonymous location data.

While browser data may be a bit harder to link to a user than location data, it could be conceivable depending upon how the information is gathered and stored. In the Xiaomi situation, the expansion of the 'toggle off' option is likewise disappointing on the grounds that this implies the default hasn't changed.

The Chinese company will continue gathering incognito browser data unless users are aware of the 'toggle and explicitly opt-out'.

Given the fact that Xiaomi is the fourth-largest smartphone manufacturer by market share, this implies for the average user that is not in particular 'tech-savvy' as the status quo remains the same.


Residents in China under Surveillance amid the Coronavirus Pandemic


According to recent reports, China is alleged for surveilling its residents' homes among the coronavirus epidemic. However, there is no official rule that says China can keep quarantined residents under watch. The incident has been happening since February in China, where few residents have reported cases of security camera equipped right in front of their homes. Three people have already informed of this incident, whereas other similar cases have appeared on social media.


Currently, China doesn't have any national law that allows it to watch its people through surveillance cameras, but still, the cameras are equipped in various public areas in China. According to sources, the authorities are continually keeping a watch on people, whether they are in malls, eating in a restaurant, boarding transport, or even in schools and colleges. According to data by CNN, around 20 Million cameras were installed across china in the year 2020, and this is only a rough estimate. According to some other sources, the numbers can go even higher. As per the reports of IHS Markit Technology, which currently works under Informa Tech, China had around 350 Million surveillance cameras installed in the year 2018, which is five times than of the USA.

What will happen by 2021? 

According to the data, the projection suggests that by the year 2021, China will have equipped six times more surveillance cameras than the US. According to Comparitech, a UK based research organization, "Estimates vary on the number of CCTV cameras in China, but reports range from 200 million up to 626 million in use by 2020. Based on the country's current population of 1.4 billion people, that would mean nearly one camera for every two people. Although this projection might seem vast, it may be a fraction of the actual number."

In the present times, however, the COVID-19 pandemic has triggered the Chinese authorities to keep a watch on its residents' private life. According to these residents, it is a complete breach of privacy. Knowing that this issue might appear, the Joint Civil Society issued a statement earlier this month that said, "the COVID-19 pandemic is a global public health emergency that requires a coordinated and large-scale response by governments worldwide. However, States' efforts to contain the virus must not be used as a cover to usher in a new era of greatly expanded systems of invasive digital surveillance."

Around 25,000 Email Addresses and Passwords Belonging to NIH, WHO, World Bank and Others Posted Online


The SITE Intelligence Group, a non-governmental US-based consultancy group that monitors online activities of international terrorist groups and tracks global extremism, recently discovered around 25,000 email addresses and passwords being posted online by unidentified activists. Reportedly, these credentials belong to the World Health Organisation, National Institutes of Health, the Gates Foundation, and various other organizations united in the global battle against COVID-19 – working to contain the spread of the Coronavirus.

The data of unidentified origins was exposed on Sunday and Monday and straight away used by cybercriminals to make attempts at hacking and take advantage of the posted information by causing incidents of harassment led by far-right extremists. The information made its first appearance on 4chan, an imageboard website where people anonymously post their opinions on subjects ranging from politics, anime, music, video games to sports and literature. It then subsequently appeared on Pastebin, Twitter, and Telegram groups belonging to far-right extremists.

However, the authenticity of the email addresses and passwords is still in question as the SITE said it was unable to verify the data. As per Robert Potter, an Australian cybersecurity expert, the 2,732 emails and passwords belonging to WHO were found to be authentic.

The biggest victim of the incident was NIH with a total of 9,938 emails and passwords being exposed, following NIH was the Centers for Disease Control and Prevention with the second largest number i.e., 6,857 and the World Bank with a total of 5,120, according to the report by SITE. All three organizations were quick to decline the requests of making any comment on the matter.

While providing insights, SITE's executive director, Rita Katz said, “Neo-Nazis and white supremacists capitalized on the lists and published them aggressively across their venues.”

“Using the data, far-right extremists were calling for a harassment campaign while sharing conspiracy theories about the coronavirus pandemic. The distribution of these alleged email credentials was just another part of a months-long initiative across the far right to weaponize the covid-19 pandemic.” She further added.

Meanwhile giving assurance, Twitter spokeswoman Katie Rosborough said, “We’re aware of this account activity and are taking widespread enforcement action under our rules, specifically our policy on private information. We’re also taking bulk removal action on the URL that links to the site in question.”

Latest Research Reports Prices of Your Documents on the Dark Web


Atlas VPN did a new study based on Flash Intelligence Research findings from 2017-2019. The research has revealed the costs of essential goods and services on the dark web. For instance, the Social Security Numbers, which are now out of date and insecure as they are no longer in use, especially after the 2018 Equifax Hack, they are still widely used as a primary proof of identification confirmation. Hackers tend to attack websites that can generate millions of SSNs at once so that all the data is vulnerable to hackers.


Therefore, with millions of SSNs in the open, they are sold up to $4 on the dark web. According to Flashpoint, the following services are available on the dark web along with the SSNs.

These services are divided into four types:


  •  Hacker Services
  •  Forged Documents 
  • Personal Identifiable Information (PII) 
  • Stolen Financial Information 


The PII (personally identifiable information) package, in addition to the SSN for $4, has the victim's Name, Passport No, Driver's License Details, and email id. However, access to Stolen Financial Information costs much more than SSN. According to Atlas VPN, credit cards up to $5k balance costs $10, whereas discredited bank accounts with savings more than $10000 cost $25.

Note: The price also depends on the victim's savings. If the savings go higher, the cost to obtain the details also goes higher. It is because of victims with high credit score accounts are less risky to attack as their banks won't notice it and won't cut it off.

Forged documents top the list in the prices. Physical passports are sold for $3k-$5k on the dark web. According to other reports, a 1-hour DDoS (Distributed Denial of Service allows the servers to shut down or stop working )attack on any bank or government website costs around $165.

How to prevent yourself? 

It is a bit difficult to prevent such attacks, but the users can always follow some rules to secure their account information. These are:

  •  Secure your devices with a password; a pin would be better.
  •  Avoid using public wifis while browsing or downloading apps. 
  • Use 2 step verification

Dutch Government Loses Hard Drive Containing Data of 6.9 Million Donors


Officials from the Dutch Ministry of Health, Wellness, and Sport confirmed this week that the government has lost two external hard disk storage devices that contained electronic copies of all donor forms filled with the Dutch Donor Register between February 1998 to June 2010, it was used to store personal information such as the first and the last name, date of birth, ID card numbers, address while filling the form, gender, copy of signatures and choice of organs being donated of about 6.9 million organ donors.

It was when authorities decided to sweep out old donor registration paper forms and wanted to get rid of electronic copies of all these donor forms, they discovered that the two aforementioned disks are nowhere to be found. There have been no comments made onto the encryption of data, it's not in public knowledge that whether the data was encrypted not.

The disks were last accessed almost four years ago and were put securely inside a safety vault for keeping a record, as per the statements given by the Dutch Donor Register, the hard disks were no longer to be found in the security vault and are still unaccounted for. Reportedly, the data stored into the disks belonged to over 6.9 million Dutch people – a few out of whom may no longer be alive, as per the authorities.

Although there is no proof regarding the data being stolen or misused by anyone, officials claimed that the lost donor forms do not consist of Dutch ID copies and other official documents of the people of Dutch which automatically reduces the likability of fraud or an identity theft taking place amid the incident of lost hard drives. The Minister for Health, Wellness, and Sport confirmed that the event did not affect the Donor Register's ability to deliver accurate donor data.

UK-Based Network Rail Confirms Online Exposure of Wi-Fi User Data


The travel details and email addresses of around 10,000 commuters who used free wi-fi provided at UK railway stations were exposed online, as per the confirmations given by UK-based Network Rail. The unfortunate event affected a number of railway stations including London Bridge, Norwich, Harlow Mill, Chelmsford, Colchester, Waltham Cross, and Burnham.

The incident came into light when a security researcher Jeremiah Fowler, from Security Discovery, discovered an unprotected database online consisting of 146 million records, it included personal information of travelers such as their contact details and DOBs. The confirmation on the incident followed after three days by the Network Rail and the service provider C3UK who took immediate measures to protect the leaked database, a backup copy containing around 10,000 email addresses of the commuters.

On 14 February, Fowler tried to contact C3UK and sent two emails over six days for which he did not receive any feedback. Reportedly, the data was not misused or stolen by any third party, therefore C3UK chose not to notify the data regulator, the Information Commissioner's Office (ICO).

Network Rail strongly recommended the service provider C3UK to report the vulnerability and informed media that they will have their data protection team reach out to ICO and explain its stance on the matter.

While providing assurance and explaining its position on the matter, C3UK said, "To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available."

"Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability," it added.

Meanwhile, the ICO also confirmed to BBC that it hadn't been notified, "When a data incident occurs, we would expect an organization to consider whether it is appropriate to contact the people affected and to consider whether there are steps that can be taken to protect them from any potential adverse effects," it said.

In the wake of the incident, Greater Anglia, a Great Britain based train operating company, which manages some of the affected railway stations told that it stopped employing C3UK to provide its station wi-fi. Meanwhile, the provider for London Bridge station assured the corresponding Network Rail that it was an issue of low-risk and that "the integrity of people's information remains fully secure."

Facebook Sues Data Analytics Firm for Improperly Harvesting User Data


On Thursday, Facebook filed a federal lawsuit in California Court against OneAudience, a New Jersey-based marketing firm mainly involved in data analytics. The social media giant claimed that the firm was paying app developers to secretly harvest its users' data by getting an infectious software SDK installed onto their apps. The SDK was planted in various gaming, shopping, and utility-type applications available to download from the Google Play Store, as per the court documents.

A software development kit also known as SDK is a downloadable collection of software development tools used for developing applications. It consists of the basic tools a developer would require to build a platform-specific app with ease and excellence. In other words, SDK basically enables the programming of mobile applications. However, these packages have their drawbacks too as they also contain tools like trackers and it collects information about devices and app usage to send it back to the SDK maker.

Facebook alleged in the lawsuit that OneAudience has blatantly misused the feature "login with Facebook" to acquire unauthorized access to sensitive user data without any permissions. OneAudience has also been accused of paying apps to gain access to users' Twitter and Google data when they log into the infected apps using their account info.

"With respect to Facebook, OneAudience used the malicious SDK – without authorization from Facebook – to access and obtain a user's name, email address, locale (i.e. the country that the user logged in from), time zone, Facebook ID, and, in limited instances, gender," Facebook remarked.

Earlier in November 2019, social media giants Twitter and Facebook told that OneAudience collected private user information and the incident left hundreds of users affected as their privacy was compromised when OneAudience illegally collected their names, email addresses, usernames, genders and latest posts through SDK.

While commenting on the matter, Jessica Romero, Director of Platform Enforcement and Litigation, said "Facebook's measures included disabling apps, sending the company a cease and desist letter, and requesting their participation in an audit, as required by our policies. OneAudience declined to cooperate."

"This is the latest in our efforts to protect people and increase accountability of those who abuse the technology industry and users," she further added.

WhatsApp and Telegram Group Links Leaked Online



A security researcher recently discovered that a lot of WhatsApp and Telegram Group invite links that may not be up for public viewing are appearing in multiple search engines like on Google, Yahoo, Yandex, and Bing.

On Friday, researcher Jordan Wildon, a multimedia journalist at Deutsche Welle warned that owing to a critical issue, several illegal groups and activities along with genuine private groups were exposed.

In the light of the leak, various security measures have been taken by both the companies, however, to erase the links from public searches completely so that they are no longer discoverable by people to join will require much more efforts.

This critical flaw not only abused the privacy of the aforementioned messaging apps by exposing around 450,000 groups online but also allowed data mining as the phone numbers were made available directly.

Notably, these messager apps' invite links have been indexed by several search engines. Due to this indexing feature, WhatsApp and Telegram group invite links are also being displayed publicly by these search engines and the visibility increased the reach even further. Two major happenings took place due to these leaked links – Unwanted and uninvited people joined various groups through the invite links and it also paved an easy path for hackers to discover other conversations through brute force attacks.

While addressing the issue, WhatsApp has seemingly removed the invite links for groups from Google and the company also took other steps in order to prevent indexing.

Wildon took to Twitter to provide updates, "JUST IN: Google appears to have removed indexing of WhatsApp links. Other major search engines appear to still be indexing chat links."

"UPDATE: This has been fixed on Google, but results are still available elsewhere. If you’re concerned, I’d recommend going into group settings, tapping “Invite to Group via Link” then “Reset link”. he tweeted.

Alert! The Days of WhatsApp Are Gone? Stronger Competitor In The Market!


Joy all around for the social media fanatics who had gotten quite bored of WhatsApp being their only source of incessant chatting provisions. And to those as well who felt unsafe because of the recent spyware that hit the beloved social media chat application.

The word around is that a recently surfaced social media chat application could give strong competition to the Facebook-owned social media service.

The users were already quite disconcerted about the recent cyber threat that hit WhatsApp and were in desperate need of any substitute to satisfy their daily social cravings.

The celebrated application goes by the name of “Signal”. Its unique characteristic is its keen focus on the privacy of the users.

Per sources, Signal has planned out to move towards the big market and go “main-stream”, owing it to the substantial monetary support it received from WhatsApp’s co-founder.

The financial backing is to facilitate “Signal” in getting better features and attracting the attention of people who are sort of done with using WhatsApp and are in want of other options, for whatever reasons.

Reports mention that the launcher of ‘Signal’ had continually been working on getting everyone access to encrypted communications without much fuss.

Now it finally is time for Signal to enter the world it was originally created for in the first place. It is a revolutionized effort at forming a more secure cyber-space for the people.

With key agendas like privacy and cyber-security being the central constituents of Signal, the application is sure to win a lot of hearts.

In recent times WhatsApp has been all over the place because of the alleged cyber threats, like spyware, it has been leaving its users open to. Because of which people’s trust over it has been withering gradually.

Per valid sources, Signal is special because it is encrypted from end-to-end. Its servers do not store any sort of “conversation metadata” on them. This especially was quite a hefty task for the developers to work their way around. They also had to work on enabling “group administration” to let people add and remove members without the servers’ knowledge. But they did it.

Hence, at a time like this, Signal is a very welcome blessing for social media fanatics who have become so used to social applications that they can’t imagine their lives without them.

Deputy of the State Duma of the Russian Federation: it is necessary at the legislative level to protect the data of Russians on Facebook


Andrey Alshevskikh, the State Duma Deputy, said that the threat to the personal data of Russian users of the social network Facebook is real. The Deputy notes that it is necessary to take appropriate security measures at the legislative level.

The day before it became known that the hacker group OurMine hacked two official Facebook accounts on Twitter. On the night of February 8, an appeal appeared on these pages stating the vulnerability of Facebook to hacker attacks. It was also said about the weakness of the Twitter security system.

"As for Facebook, this is not the first case and, something tells me, not the last. It is necessary to deal with such cases in detail and take concrete steps at the legislative level, make amendments to existing laws, and adopt new ones to protect the data of Russian citizens," said the Deputy.

Alshevskikh recalled that the threat to the personal data of Russians who use Facebook was mentioned repeatedly. Therefore, a law was adopted providing for the storage of personal data of citizens of the Russian Federation in Russia, however, some companies do not want to comply with it.

"We need to force Facebook to comply with Russian law," said Alshevskikh. Recall that earlier Roskomnadzor started administrative proceedings against Facebook and Twitter, which did not provide a localization report at the indicated time. Refusal to localize, according to Russian law, faces a multimillion-rubles fine. In the case of the first violation, legal entities may be charged up to 6 million rubles ($94,000), in the case of a second violation - from 6 to 18 million rubles ($94,000-$282,000). Court hearings have already been scheduled and will take place on February 13 in a Moscow court.

Earlier, CEO of a detective agency and speaker on cyberattacks Vladimir Golovin recommended that those who are concerned about the safety of their personal data stop using Facebook.

CEO of a detective agency and speaker on cyber attacks: users should understand that Facebook is leaking their data


Numerous Facebook leaks in 2013 and 2016 put users in a position where they are not responsible for their security. This opinion was expressed by the General Director of the detective agency and speaker on cyber attacks Vladimir Golovin.

The Cybersecurity team at Check Point Research found out that Internet attacks were most often carried out on Internet users to obtain their personal data via Facebook for the last quarter of 2019. A social network is not able to protect its customers from online fraud.

Experts told about such a fraud scheme as "phishing", which consists of the theft of the username, password and other personal data. Hackers operate through social networks or other platforms where people leave information about themselves. As a result, it turned out that Facebook has become the leader among platforms that are hacked by scammers. The second line is occupied by the Yahoo service, and in third place is Netflix.

According to Golovin, when a user leaves their data somewhere, their security depends on him only by 50%.

"If you want to give your personal data, then use Facebook. If not, you don't need to use it at all," said the speaker.

According to him, today people have the wrong attitude to personal data, so it is worth starting the fight with this. Many people do not understand the danger they face when leaving personal information on unverified sources.

Golovin notes that Facebook continues to do the same, leaking user information.
"Therefore, in the field of information security and data storage, all these are political games," he concluded.

It is worth noting that, in addition to the constant leak of personal information, foreign sites continue to brazenly violate Russian laws by refusing to transfer servers with Russian data to the territory of the Russian Federation. Ruslan Ostashko, editor-in-chief of the online publication Politrussia, said that it is necessary to register the possibility of blocking the activities of Facebook and Twitter at the legislative level.

Ukrainian authorities proposed online media to track readers and transfer data to the cyber police


A real scandal began with the rights of journalists, the media and freedom of speech in Ukraine. The Ukrainian cyber police sent a circular to various Internet publications in Ukraine with a proposal to install special software codes on the websites of publications in order to track and identify readers of publications. At the same time, all data must be transmitted to the cyber police of Ukraine.

In the document received by the media, the cyber police proposes to install a special script developed by the Agency on the site of publications, which would allow identifying network users who use a VPN or anonymizer. All data of users of Internet publications who have installed such a code is sent to a special server of this body.

Note that 99.9% of all users of the Ukrainian network use VPN in Ukraine. This is caused by the blocking of all Russian resources by the Ukrainian authorities. In the absence of high-quality Ukrainian services and social networks, Ukrainian citizens continue to use Russian Yandex, Vkontakte, Mail.ru and read Russian media. Obviously, the Ukrainian authorities, on the orders of Vladimir Zelensky, have now decided to identify such citizens.

The cyber police of Ukraine noted that they did not insist on installing such codes but only suggested. At the same time, the Ukrainian cyber police does not see anything shameful in such a proposal but considers it the interaction of the state and the private sector in the field of combating cybercrime.

However, it is important to note that the existence of such a script from the cyber police on Ukrainian media sites is a criminal offense. Such actions of the Ukrainian cyber police violate a number of laws and the Constitution of Ukraine. They violate freedom of speech, freedom of the media, freedom of access and dissemination of information, human rights, processing of personal data, and the presumption of innocence. As well as a number of European and international norms and laws in this area.

Moreover, for a long time, citizens of Ukraine have been asking the President of Ukraine to unblock Russian sites.

Facebook to give $550 Million as a Settlement in a Lawsuit


Social Media giant Facebook is to pay an amount of $550 million as a settlement in what appears to be another series of lawsuits, and this time, it is a Facial Recognition issue. The lawsuit is not good for the brand perception of Facebook as it puts further questions to the credibility of the privacy laws of the social networking site.


"Facebook has agreed to pay a settlement of $550 million related to a claim filed for FB's facial recognition technique," said Facebook this Wednesday. The incident that appeared in Illinois is said to be a great triumph for privacy organizations as it raises the question of privacy laws of the company Facebook which is already among the controversies of data laws. The issue emerged from FB's image labeling technique named 'Tag Suggestions,' which uses facial recognition techniques to suggest the name of users present in the photo.

The company that has filed lawsuit accused Facebook of collecting the facial data of the company's employees that violate Ilionis Biometric Privacy law. It accuses Fb of storing data of millions of users for Tag suggestions without the knowledge of the company's employees and also without them knowing how long the data will be kept. Facebook has dismissed the allegations saying it has no basis of proof. As per the settlement, FB has to pay $550 Million as legal fees to the affected users of the Illinois company. This payment even surpasses the $380 Million amount that the reporting agency 'Equifax' had agreed to pay for the settlement of a 2017 consumer data breach incident.

"Facebook agreed to settle the case by giving back what was rightful to the community and in the goodwill of public interest, as it affects our stakeholders," says FB's spokesperson. "The settlement highlighted the importance of user privacy and security," says lawyer Joey Edelson, whose firm addressed the issue on behalf of the affected users of Facial Recognition suit. He further says, "people worried about issues related to gun rights concerning women safety or people who like to participate in societal issues by not disclosing their identity hold the same importance and we should respect their privacy."

Avast Antivirus Harvested Users' Data and Sold it Google, Microsoft, IBM and Others



Avast, a popular maker of free anti-virus software being employed by almost 435 million mobiles, Windows and Mac harvested its users' sensitive data via browser plugins and sold it to third parties such as Microsoft, Google, Pepsi, IBM, Home Depot, and many others, according to the findings of an investigation jointly carried out by PCMag and Motherboard.

As per the sources, the investigation basically relied on leaked data; documents used to further the investigation belonged to Jumpshot which is a subsidiary of Avast. The data was extracted by the Avast anti-virus software itself and then repackaged by Jumpshot into various products which were sold to big companies as the report specified, "Potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde Nast, Intuit, and many others."

"The sale of this data is both highly sensitive and is, in many cases, supposed to remain confidential between the company selling the data and the clients purchasing it," other company documents found.

Allegedly, Avast has been keeping a track of personal details such as exact time and date when a user starts surfing a website, the digital content being viewed by him and his browsing and search history. As per the findings, the information sold by Jumpshot includes Google Maps searches, Google search engine searches, YouTube videos viewed by users, activity that took place on companies' LinkedIn handles and porn websites visited by people. The data contained no traces of personal information of people like their names or email addresses, however, the investigators at Vice pointed out how the access to such precise browsing data can potentially lead back to the identification of the user anyway.

When the investigation reports were made public, Jumpshot stopped receiving any browsing-related data harvested by extensions as Avast terminated the operations, however, currently, the popular anti-virus maker is being investigated for collecting user data asides from browser plug-ins.

While Google denied commenting on the matter, IBM told Vice that they have no record of dealing with Avast's subsidiary, Jumpshot. Meanwhile, Microsoft made it clear that at present they are not having any relationship with Jumpshot.

Bot List Containing Telnet Credentials for More than 500,000 Servers, Routers and IoT Devices Leaked Online


This week, a hacker published a list on a popular hacking forum containing Telnet credentials for over 515,000 servers, home routers and IoT (Internet of Things) "smart" devices. The massive list which reportedly was concluded by browsing the whole internet in search of devices that left their Telnet port exposed, included IP addresses of all the devices, username and password for the Telnet service and a remote access protocol that can be employed to control devices over the internet.

After scanning the Internet in search of devices exposing their Telnet port, the hacker attempts to use either factory-set default usernames and passwords or custom but guessable combinations, as per the statements by the leaker himself.

These lists, generally kept private – are known as 'bot lists' that are built after hackers scan the Internet and then employed them to connect to the devices and install malware. Sources say that although there have been some leaks in the past, this one is recorded as the biggest leak of Telnet passwords till date.

As per the reports of ZDNet, the list was made available online by one of a DDoS-for-hire (DDoS booter) service's maintainer. There's a probability that some of these devices might now run on a different IP address or use other login credentials as all the leaked lists are dated around October-November 2019. Given that using any of the listed username and password to access any of the devices would be illegal, ZDNet did not use it. Therefore, they were not able to comment on the validity of these credentials.

A security expert in the field of IoT, requesting for anonymity, tells that even if some of the listed credentials are invalid by the time for devices now have a new IP address or password. However, the listings still hold a lot of value for a skillful and talented attacker who can possibly use the present information in the list to identify the service provider and hence update the list with the current IP addresses.

Certain authentic and verified security researchers are given access to the list of credentials as they volunteered for it.

European Union likely to ban Facial Recognition for 5 years


The EU (Europian Union) is considering restricting the use of facial recognition technology for a possible duration of 5 years, in public area sectors. The reason being is the regulators need some time to consider the protection of unethical exploitation of the technique. The facial recognition is a technique that lets to identify faces that are captured on camera footage to be crosschecked against real-time watchlists, mostly collected by the police.


However, the restrictions for the use are not absolute as the technique can still be used for research and development, and safety purposes. The committee formulating the restriction drafted an 18-page document, which implicates the protection of privacy and security of an individual from the abuse of the facial recognition technique. The new rules are likely to strengthen the security measures further against the exploitation. The EU suggested forcing responsibilities on either party, the developers, and the users of AI (artificial intelligence) and requested member countries of the EU to build an administration to observe the recent laws.

Throughout the ban duration that is 3-5 years, "a solid measure for evaluating the repercussions of facial recognition and plausible security check means can be discovered and applied." The recommendations appear among requests from lawmakers and activists in the United Kingdom to prevent the police from unethical abuse of the AI technique that uses live facial recognition technology for purposes of monitoring the public. Not too late, the Kings Cross estate got into trouble after a revelation that its owners were using facial recognition without the public knowing about it.

The politicians allege that facial recognition is fallacious, interfering, and violates the basic human right of privacy. According to a recent study, the algorithms that facial recognition uses are not only incorrect but are also flawed in identifying the black and Asian faces in comparison to those of the whites.

How Facial Recognition works?

  • The faces stored in a police photo database are mapped using the software.
  • CCTV present at public places identifies the faces. 
  • Possible matches are compared and then sent to the police. 
  • However, pictures of inaccurate matches are stored for weeks.

Phishing Attack Alert! Los Angeles County Says No Harm Done!


A Phishing attack last month surfaced over the LA County which was immediately contained before any devices got compromised.

The attack was discovered by the staff, last month. The containment of the attack was done by the staff instantaneously before much damage was done.

The hackers were apparently after the county’s residential data.

Per sources, it all began when the Los Angeles County received a phishing email which extended malicious activities. The malicious campaign was aimed at stealing the receiver’s personal data.

The hackers’ plan was to get the recipient to click on the links/attachment in the email. Reportedly, the email had come from a “third-party account”. Allegedly, the distribution list of the third party got leaked and was sent to more than 25 county employees.

Per website sources, The LA County happens to be the most populated area in the US. It has over 35,000 personal computers, 12,000+ cell phones and 800+ government network locations.

According to reports the “Internal Services Department” happens to support the “Countrywide Integrated Radio System” which extends essential services during emergencies.

Most local governments have faced attacks along the same lines including Los Angeles County as well. Per sources, in the Minnesota case where the phishing attack targeted over 100 LA County employees, the personal data including targets’ names, social security numbers, dates of birth, card details and other personal data was compromised.

It is evident that the phishing attack could have taken a gigantic form if it hadn’t been for the prompt skills of the employees and staff of the LA County.

Given that such a humongous number of devices and networks could have been jeopardized this attack must necessarily be taken as a serious warning.

The already existing and well-established security controls of the county also had a lot to contribute to this successful aversion of the accident.

Reportedly, the county’s Chief Executive Officer had taken this incident as quite a forewarning and mentioned that they would work stalwartly towards improving the security provisions and strengthening them.

The overall incident is still under investigation by the county along with help from a few private participants.

Privacy Alert! Xiaomi's Security Cameras Not All That Secure?


If you think that if you have a security camera at your home then you are safe, you are absolutely wrong to sleep on your chair so freely!

Xiaomi instantly hit headlines when one of its security cameras displayed stills of a man sleeping on a chair.

Xiaomi, the global giant known for its great products at a low price per reports, had launched a “Home Security Camera” earlier. With increase in the use of security cameras the aspect of privacy and security are still a major concern.

The Home Security Camera by Xiaomi which offers a 1080p recording, infrared night vision, AI motion detectors ad lots more apparently was too high-tech when it displayed pictures from other cameras from “Google Nest Hub”.


Reportedly, the issue surfaced when a user reported that his Xiaomi Security Camera displayed still images from someone else’s camera on the Google Nest Hub of “a man sleeping in his chair”.

Allegedly, the user mentioned that the firmware the “Nest hub” and the “Xiaomi Security Camera” were freshly bought and working on the version 3.5.1_00.66.

Google, as a result of this case disabled Xiaomi integrations on its devices. Users could link the Xiaomi Home Security Camera to their Google accounts and access the Nest devices via the Mi Home application.

Xiaomi immediately, stunned with Google’s response apparently, issued a statement mentioning that they had fixed the issue and that in fact the issue happened owing it to a “cache update”.

The update which was supposed to make the security cameras better in terms of improved streaming quality ended up displaying images “under poor network conditions”.

Per sources, the company cited that over 1000 users had the above mentioned “integrations” and only a “few” with tremendously poor network were majorly affected.

Eventually, the service got suspended by Xiaomi as it mentioned to Google, allegedly.

It goes without saying that the conditions in which this incident took place are extremely rare and the entire satiation is under investigation by the security team of Xiaomi and that the issue wouldn't occur at all if the cameras are linked to the Mi Home app.

Xiaomi also profoundly cited that for them, users’ privacy and security has always been paramount. The issue about the reception of still images while connecting to Mi Home Security Camera on Google Home hub is deeply regretted for. They also apologized for it profusely.



7 Easy Habits to make you Digitally Secure!


So 2019, was quite a year for hackers and security breaches. Countless malware, trojans, ransomware and data breaches attacked the business and financial sector leaving our security and information more exposed and feeble. And these hackers have moved from targeting the rich and high profile to the common people and the consequences can be right down scary. And that's why it becomes imperative that we protect ourselves from these attacks. It may seem like impossible feet but a few simple habits can go a long way to keep us cyber safe and cyber secure. Let's take a look-


1. Antivirus software 
Leaving your computer exposed without any antivirus means you are gladly inviting virus and malware into your system. Installing an antivirus is the first line of defense and quite simple. Using anti-virus software is the foundation from which all your other online safety habits are built. 

2.Thinking free means safe 
Always be aware of freebies on the internet and cyberspace be it free software or free wifi. Especially using free or public wifi can cost you dearly. Since this type of network is open for use by anyone, there’s a high risk of exposing your system to malware and having the information you send or receive (including passwords) viewed and collected by criminals. So, avoid using public wifi and even if you have to consider VPN( Virtual Private Network)

3.“Remind me later” 
FoxNews says, "Are you notorious for rescheduling software updates but never actually installing them? If you often hit the “Remind me later” button, you’re asking for trouble. "Don’t prevent your system from receiving the latest tools and security patches needed to fight off attackers and viruses."

4. Beware of attachments on Emails 
Clicking before you investigate, can be lethal for your security. Many ransomware seems like legit emails from governments and when you click the attachment, the word file activates the ransomware in your system. So, always be prudent about opening attachments and links given in mails.

5. Don't go with the lazy option - set a strong different password 
Using the same password for every platform makes it easier for the hacker to get in your machine. Also, if one platform is hacked it can lead to a chain hacking of your full online presence.

6.Forgetting about your online presence 
FoxNews advises that it’s common to have a ton of online accounts. Over time, you may forget about a few of the ones you rarely use or have stopped using entirely. That means if your account is compromised, you may not even notice. Jot down all the accounts you’ve created and routinely go through and delete those you no longer use.

7.Accepting terms you never read 
And the last and most common mistake that we are all guilty of- accept terms and conditions without reading them. Apps and software can easily access our data, pictures, SMS, and others legally and easily because of this.

Today, the world is getting smart, everything is connected from your phone to your TV with the integration of the Internet of Things (IoT) and thus it's important to adopt some healthy security habits.