Search This Blog

Showing posts with label User Data. Show all posts

Chinese Smartphone Maker OnePlus Discloses Data Breach





Chinese smartphone manufacturer, OnePlus has announced a data breach where the order information including names, contact numbers, email addresses and shipping addresses of customers from its online store was exposed. However, customers' payment information, passwords, and accounts haven't been compromised in the incident. OnePlus ensured that the affected customers are being timely notified.

The company told in an FAQ that the breach took place last week and was discovered immediately. According to the officials, it was a certain vulnerability in their website which became the entry point of the attackers. However, no additional details were provided by OnePlus.

"We took immediate steps to stop the intruder and reinforce security, making sure there are no similar vulnerabilities. Before making this public, we informed our impacted users by email. Right now, we are working with the relevant authorities to further investigate this incident." the company said in the FAQ.

As a security measure to ensure there exists no similar security vulnerability, OnePlus thoroughly examined the
website. Furthermore, the company is making efforts to upgrade its security program which included partnering with a world-renowned security platform next month. The company told that it would be launching a bug bounty program by the end of this year.

In the OnePlus security ecosystem, this came as the second hit to the privacy of its users, the company witnessed a similar one last year in January wherein almost 40,000 were affected and users' credit card information was stolen. OnePlus's breach came after T-Mobile announced a similar data breach that impacted a small number of accounts using the company's prepaid offerings.

"Our Cybersecurity team discovered and shut down malicious unauthorized access to some information related to your T-Mobile prepaid wireless account," the company said. "None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised."

"The data accessed was information associated with your prepaid service account, including name and billing address (if you provided one when you established your account), phone number, account number, rate plan and features, such as whether you added an international calling feature," the company further added.

Open databases leaked 93 Million billing files of patients.



Around 93 Million billing files were exposed containing information of patients from drug and alcohol addiction facilities by a misconfigured AWS s3 storage bucket. These three drug and alcohol addiction facilities were operated by San Juan Capistrano, California-based Sunshine Behavioral Health, LLC namely SBH’s Monarch Shores location in San Juan Capistrano; Chapters Capistrano facility in San Clemente, Calif.; and Willow Springs Recovery center in Bastrop, Texas. Patients from these facilities had their data open and accessible and SBH was repeatedly informed by DataBreaches.net about this leak.



The exposed data consisted of billing details like individual's name, birth date, physical and email addresses, phone numbers, debit and credit details like card numbers with partial expiration dates and a full CVV code and health insurance information, including membership and account numbers and insurance benefits statements. Roughly, 93 Million files were released but comparatively fewer individuals were affected as patients had multiple files to their name. The news was covered by DataBreach.net yesterday, but they have been following the case since August.

An anonymous individual tipped DataBreach.net about the open database in late August and they informed Sunshine Behavioral Health regarding the leak on September 4th but to no avail. They then spoke to SBH's director of compliance, Stephen VanHooser and shortly the data was made private. But, unfortunately in November Databreach.net noticed that “the files were still accessible without any password required if you knew where to look.

And anyone who had downloaded the URLs of the files in the bucket while the bucket was exposed would know where to look.”, stated the post. The data and files were finally secured after they again reached out to SBH on Nov 10 and 12. Adding to that, the three-drug and alcohol addiction facilities haven't made the leak public, There has been nothing on their website, the California Attorney General’s website, or HHS’s public breach tool, even though it is more than 70 days since they were first notified,” the blog states. Maybe the affected parties were informed but not the public.

xHelper: A Non-Destructive Malware that has Affected 45,000 Android Devices


A new Android trojan tension has become a headliner after darting upon the detector of several cyber-security firms and disturbing the smartphone users, because of its re-installing peculiarity that has become a headache. The malware was located in March for the first time but it gradually developed to affect the android phones.


Hot as xHelper, it is a unique malware that has been detected by antivirus corporations. xHelper is quite dangerous as it has a self re-install origin, a process that makes it very difficult to eliminate from Android gadgets. The Trojan is said to have corrupted around 45,000 devices. "Every day, 131 different devices are corrupted, whereas, 2,400 devices are being affected every month," says Symantec, a cybersecurity company. Eliminating the xHelper assistance from your Android device is useless as the malware re-establishes itself despite the user completing a factory reset.

In the conclusion of a story, the Trojan provides for popup ads on devices simultaneously beside spams. These popup notices make profits for the bodies responsible for the deed. Also, the trojan-infected android devices are required to install various apps from the Google Play Store, once the damage has been done. The malware secures profit in the scheme of pay-per-download payments, once the application is installed on the android phone.

But it appears that the Trojan does not perform any lethal actions on the device. "xHelper is only confined to interfering popup ads and spams, it doesn't possess any severe threat to the device" claims the reports of Symantec and Malwarebytes. Besides, excluding the xHelper assistance from the Android OS devices won't do any relief as the malware re-fixes itself despite the user restoring the phone to factory reset settings. The matter of concern, though, is the point that android device users have been notified that while xHelper is momentarily only confined to popups, spams, and ads, it can, however, install different applications, which could extend a secondary degree trojan threat that can steal sensitive data such as personal information and banking credentials of the users.

A New Malware that steals Personal Information via Discord App


Hey there, all the gamers and tech freaks. Beware! A new malware is coming right at you. Also known as 'Spidey Bot' by its researchers, this malware is quite dangerous as it can take all your personal information such as passwords, IP addresses, emails, contacts, and Discord usernames. The Windows Malware does this by inserting itself into the Discord app's cipher.


As if this wasn't enough, the malware can also get a backdoor entrance into your device by copying the first 50 letters typed in your keyboard which may contain critical information such as recently used passwords. This is done in order to get more malware fixed in your device. Discord is an application that is specifically designed for the video gaming community. It is also a digital platform where various PC gamers from across the world can connect and form a community of their own.

Lately, Discord has also become an ideal platform for users who have been thrown out from Twitter and Reddit for their peculiarly offensive comments; hence they are free to express their thoughts here. Sadly, you won't be able to grasp if your Discord file is affected, and even if you do, you can't do anything much about it. The best you can do is remove the software and then reinstall it to confirm that you are safe. Therefore, having the best antivirus is the only solution to prevent your computer from malware threats. Even the software company Discord is helpless in countering to user problems.

"Unluckily, there's nothing any Discord can do to anticipate threats here. Still, the user should be careful while clicking on unknown links and should be critical of downloading unfamiliar software. Doing so can invite Malware to your system. Installing an untrusted program can alter your Discord on your PC," tweeted Discord in response to user complaints. This is not the problem with the language but it's on the user end. The only alternative solution to this Malware threat is by telling the user to access the Discord app via their phones and gaming consoles instead of your computers.

Pos Malaysia: Malware Attack Disrupts Internal Systems and Online Services



IT infrastructure of Pos Malaysia, postal delivery service in Malaysia, took a major hit from ransomware which rendered some of its online services inaccessible. After detecting the attack on Sunday, the company took immediate measures to shut down internal systems and parts of its online systems; they also lodged a police report with Royal Malaysia Police for attempted malware attack and reached out to concerned authorities to ensure the safety of their systems and database.

The website of the company was displaying an error message during the downtime, which said, “Sorry, we are under maintenance.” It was discovered during a system update on October 20 and since then, the company released three statements insisting on the safety of customers’ personal data and sensitive information. It assured that no user data was compromised and the issues are being rectified. Gradually, several of Pos Malaysia’s online services have been made accessible while over the counter services remain available at the company’s branches nationwide. However, the officials refrained from providing a specific timeline for the entire restoration of the halted services.

Seemingly, it was a major attempt that caused disruption in the company’s internal systems and online services for the past few days and subsequently affected the overall company’s operations.

In a statement on Facebook, Pos Malaysia told, “Our team has managed to rectify and restore several of the system and online services. We assure our customers that their data and personal information are safe.”

“We extend our apologies for the inconvenience caused and thank our customers for their kind understanding, patience and support during this period. We will provide regular updates from time to time,” it added.

Announcing that the services will be restored and made fully accessible gradually, a spokesperson told The Star, "Customers and business partners may now gradually access our services. Over the counter services at all branches remain available.”

"Currently, proactive steps are being taken by our IT recovery team to ensure minimal impact to our customers and business partners. While contingency plans are being considered to rectify and restore online operations, the majority of our services at all Pos Malaysia branches are still available," he added.

People who have made shipments via Pos Malaysia or have pending shipments and it required them to share any sensitive data with the postal delivery company, odds are it would have been compromised in the attempted malware attack, therefore, they are advised to check their private credentials where necessary.

Cybersecurity Researchers Discovered Attack Which Uses WAV Audio Files to Hide Malicious Code


We are living in an age where user security being breached is one of the most familiar headlines we come across in the cybersecurity sphere, attackers have continued to discover unprecedented ways to compromise user data and have strengthened the older ones.

A widely used technique which allows hackers to break into computers and extract user data without getting noticed is resurfacing again, this time making the detention even more complex by embedding the malware inside audio files resembling the regular WAV format audio files on the computer, according to the cybersecurity researchers at Cylance, a California based software company that develops antivirus programs and other software to prevent malware.

Hackers employed a method known as ‘Steganography’ to hide and deliver malware, it involves hiding a file, video or message with the help of some other file. Researchers at Cylance discovered the malicious code embedded inside the WAV audio files with each file containing a ‘loader component’ which decodes and executes the malware. The threat actors carry out these malicious activities using a crypto mining application known as XMRig Monero CPU Miner.

Although, hackers have used viruses and spyware to infect files and break into computers previously, this is the first time ever where a file has been explicitly used to deliver a crypto mining software into a system. Cybercriminals are always looking to undo the measures taken by security officials. It is evident from how they are now employing even sophisticated strategies as earlier, the only way to deliver crypto mining malware was through malicious scripts on browsers, websites or software programs that came with malware.

Referencing from the statements given by Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance, to Help Net Security.  “One WAV file contained music with no indication of distortion or corruption and the others contained white noise. One of the WAV files contained Meterpreter to establish a reverse-shell to have remote access into the infected machine. The other WAV files contain the XMRig Monero crypto-miner,”

“Attackers are creative in their approach to executing code, including the use of multiple files of different file formats. We discovered several loaders in the wild that extract and execute malicious code from WAV audio files. Analysis revealed that the malware authors used a combination of steganography and other encoding techniques to deobfuscate and execute code” the researchers at Cylance pointed out.

“The similarities between these methods and known threat actor TTPs may indicate an association or willingness to emulate adversary activity, perhaps to avoid direct attribution,” the researchers further remarked.

In order to stay guarded, users are advised to have proper anti-virus tools installed on their computers and stay alert while downloading any kind of file from the internet.

Twitter Used Phone Numbers and Email Addresses Provided for Security to Target Ads


Twitter, on Tuesday, admitted using phone numbers and email addresses of users provided for the purpose of enhancing security via two-factor authentication to serve target ads.

However, sensitive user data has not been shared with the company’s third-party partners and the issue which stemmed the incident has been taken care of; now the phone numbers and email addresses are only asked for security purposes, according to Twitter.

Last year, Facebook was caught for engaging in a similar practice where the phone numbers and email addresses provided by the users to make their accounts more secure were used by the social media giant to target ads, as per the Federal Trade Commission (FTC).

In the wake of the breach, Twitter received widespread criticism for compromising its users' privacy. The fact that user security has been violated through a framework that was intended to rather strengthen it, further fuelled the public reproval. Although the company did not intend to use sensitive user data for the purpose of ad targeting, one can’t deny that the platform was practicing the aforementioned without the knowledge of its users. Moreover, it took the company almost a month to disclose the information.

Putting what Twitter called as an 'error' into perspective, it wrote in a post on its Help Center website, “Tailored Audiences is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser's own marketing lists (e.g., email addresses or phone numbers they have compiled)."

"When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes." The company added.

Remarking data (here) as a liability, Duruk, a human-computer interface expert, wrote “Phone numbers stored for 2FA end up in advertising hellhole. The more you accrue, the more someone inside your org will find a way to abuse it.”

Apologizing for the inadvertent mistake, Twitter further wrote, "We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again."

Indian users third most affected by Formjacking attacks, after the US and Australia


Followed by the US and Australia, Indian users were the most exposed to Formjacking attacks, according to a new survey by cybersecurity firm, Symantec, which has blocked over 2.3 million formjacking attacks globally in the second quarter of 2019.

In 2018, American users faced 33% of the total formjacking attacks; however, during the first half of the year 2019, they became the most exposed to these attacks with more than 50% of all the global detections. On the other hand, India with 5.7% of all the global attacks ranks third, as per the Symantec report.

Formjacking, a new dangerous threat in the cyber world, operates by infecting websites via malicious codes; mainly, these are the websites that involve filling out job applications, government forms, and credit card details. Symantec carried out a comprehensive analysis of formjacking attacks in its Internet Security Threat Report (ISTR) which calls attention to the ways users and websites have been affected by this critical cyber threat in 2018-19.

“We expect this formjacking trend to continue and expand further to steal all kinds of data from web forms, not just payment card data. This also means that we are likely to see more software supply chain attacks. Unfortunately, formjacking is showing no signs of disappearing any time soon. Therefore, operators of online stores need to be aware of the risk and protect their online presence,” reads the report.

How ‘Formjacking’ Works? 

In order to inject malicious JavaScript code on the website, attackers and cybercriminals modify one of the JavaScript files which get loaded along with the website. Then, the malicious JavaScript code makes alterations in the behavior of the selected web process on the infected website which, as a result, allows hackers to unlawfully acquire credit card data and other sensitive information.

According to the findings of Symantec, the websites which are affected by Formjacking attacks stay under its influence for 46 days. A number of websites have fallen prey to formjacking, with publically reported attacks on the websites of major companies like British Airways, Ticketmaster, Feedify, and Newegg.

Warning the consumers around the globe, Candid Wueest, Principal Threat Researcher at Symantec, said, “Each month we discover thousands of formjacking infected websites, which generate millions of dollars for the cybercriminals," warned Candid Wueest, Principal Threat Researcher at Symantec.

"Consumers often don't notice that they have become a victim to a formjacking attack as it can happen on a trusted online store with the HTTPS padlock intact. Therefore, it is important to have a comprehensive security solution that can protect you against formjacking attacks," He added.

Oyo Leaves Customers’ Confidential Data Unprotected Due to a Security Flaw



The world’s third-largest and fastest-growing hospitality and homestay chain, Oyo is reportedly leaving its customer data unprotected, which makes it vulnerable to a breach due to a flaw found in its security systems. A cybersecurity researcher, Jay Sharma, who used Oyo for the first time in his life, found a loophole in the service which was exposing confidential information of the customers availing the service.

Founded in 2013 by 25-year-old, Ritesh Agarwal, Oyo has confirmed the presence of security flaw in an email to the cybersecurity researcher who took to the professional networking site, LinkedIn to share his first time experience with the service and sent the report of the same to the company’s Cyber team on 22nd of August. The data at risk included booking IDs, contact numbers, the date of the booking, the number of people staying in the room and location.

Sharma was offered a bounty reward of Rs. 25,000, which is the increased amount after the officials, reviewed the severity involved, the initial amount offered was Rs. 5000.

Sharing the insights of the experience and the details of the vulnerability, Jay wrote on LinkedIn, “I used Oyo for the first time in my life, and once I checked in, it was compulsory to enter booking ID and phone number to access the Wi-Fi”, “Why should anybody in the room be forced to share personal information via OTP (one-time-password) verification to use Wi-Fi?”

“I researched more and found that the HTTP & Ssh ports were open with no rate limit for the IP which was hosting this. Captcha was a 5 digit number generated by math.random(). I created a way to brute force the login credentials while executing the captcha.”

“Once login was brute-forced all the historical data dating back to a few months was accessible. The booking IDs and phone numbers related to these IDs with timestamps were stored naked and all of it could be downloaded by parsing HTML using python scripts.” He wrote.

Jay further warned the customers not to log in and “wait till OYO announces officially that they have fixed this issue” as “all the properties which use this login are vulnerable.”

Commenting on the matter, the company, headquartered at Gurugram, said “Oyo provides safe and secure hotels to unmarried couples. Most Oyo hotels allow unmarried couples and accept local IDs; they have well-trained staff who ensure safety and privacy,”

“Any vulnerability, no matter how limited-time or small is taken very seriously and looked into,” a spokesperson told in a statement.

Google about to Roll Out One of the Most Awaited Features



In 2018, Google broke headlines for tracking its users location even after they disabled the sharing of location history via their privacy settings.

There were complaints against the company, stating, "Google represented that a user ‘can turn off Location History at any time. With Location History off, the places you go are no longer stored.’ This simply was not true."

In the wake of receiving intense criticism over location history, Google came up with necessary adjustments which now allow users to stop the tech giant from tracking them, except for the applications in which location data is of utmost importance such as Waze and Google Maps.

In an attempt to make Google Maps even more secure and trustworthy, the company added enhanced security features related to location privacy in Android 10; to further better the services and regain the lost user trust, Google is planning to add Incognito Mode to Google Maps and the feature is said to be in testing.

Users can always put restrictions on the location data collected by Google Maps by signing out of their Google account, but it will come at the cost of their convenience, therefore, Google is planning to introduce Incognito Mode which can be turned on by the users in the same way they do it for Youtube or Google Chrome to delink the search or navigation data from their main Google account.

In order to activate Incognito Mode, users can simply choose the option from their Google account avatar and they will be informed about the app being in incognito mode by a black status bar and the marker indicating the location will turn into dark from blue to mark the change.

To enable the feature, users are recommended to install Preview Maps version 10.26 or higher and for those who are not a part of Preview Maps test group, wait until the company releases it on a wider scale.


Simjacker Exploits S@T Browser to Affect a Billion Users



Platform agnostic attack, Simjacker allows hackers to remotely exploit the victims' phone by sending a SMS which contains a malicious code; the code gives instructions to the universal integrated circuit card (UICC)/ SIM card placed inside the targeted device to retrieve and carry out sensitive commands.

The attack is set into motion as soon as the 'attack SMS' sent via another remote handset, is received by the targeted device. The process involves a series of SIM Toolkit (STK) directions particularly configured to be sent on to the SIM Card inside the victim's device.

To ensure a proper execution of these instructions, Simjacker exploits the S@T Browser, which is a software found in SIM cards. After receiving the 'attack SMS', SIM card resorts to the S@T Browser library for setting up the execution friendly environment which can trigger logic on the infected device.

S@T Browser, a legacy browser technology placed inside the SIM cards on a number of handsets, was typically used to send promotional messages or spam text messages. However, the attackers went on exploiting it for obtaining device's location and its unique International Mobile Equipment Identity (IMEI).

The attacker sends a SMS to the S@T browser asking it for the aforementioned information which it would obtain and store on to the SIM card. Then, the attacker would send another SMS to acquire the stored information. These messages are send and received in binary codes, unlike regular messages. It doesn't alert the victim in any manner and hence qualifies to be a highly effective tool for attacking mobile phones via messages.

Referencing from the findings of mobile carrier security company AdaptiveMobile Security, 

"The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands." 

"We believe this vulnerability has been exploited for at least the last two years by a highly sophisticated attacker group." The report reads. 

Notably, the exploit is working as a lot of operators are failing to check the origin of these binary codes (SMS), which can be blocked by configuring the firewall technology in their corresponding networks, advises AdaptiveMobile.





New Security Flaw in Google's Chrome Browser Lets Hackers Access Sensitive User Data



Hackers are always finding new ways to exploit bugs and compromise sensitive user data, a recently discovered flaw in Google Chrome which could lead to arbitrary code execution, allows attackers to view, edit or even delete confidential data.

The vulnerability in the browser was initially reported by the Centre for Internet Security (CIS) and it could have allowed hackers to execute arbitrary code in the context of the browser. In order to keep the flaw in check, Google Chrome released an immediate update for its users round the globe.

In the upcoming week, Google will be releasing patches for Mac, Windows and Linux, as per the reports. However, the older versions of the search engine, which are the versions before 76.0.3809.132 are prone to attack.

To be on a safe side, users are advised to have their browsers updated and be aware of suspicious websites. The report also recommends users to avoid following the hyperlinks from unknown sources.

“A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.” Reads the report.

US: Investigators can Use Fake Social Media Profiles to Monitor Potential Visa Seekers





US Citizenship and Immigration Services officers, who were previously banned from creating fake social media profiles, can now create such profiles for the purpose of monitoring social media information of foreigners attempting for visas, citizenship and green cards.

On Friday, the ban was overturned in the review of potential privacy issues conducted and posted online by the Homeland  Security Department.

Explaining the need for the reversal of the ban, a statement by USCIS said that locating evidence of fraud and cross verifying the information for security reasons will be made easier for officers and investigators while deciding whom to allow inside the US.

The concerned State Department took several other steps which included asking applicants applying for US visa to provide their social media handles. However, it is ambiguous how resorting to fake social media identities would be carried out successfully as the terms and conditions of major social media platforms like Facebook and Twitter would clearly be violated while impersonating.

Commenting on the matter, Twitter said in a statement, "It is against our policies to use fake personae and to use Twitter data for persistent surveillance of individuals. We look forward to understanding USCIS's proposed practices to determine whether they are consistent with our terms of service,"

As per the DHS document, the investigating officers are restricted from interacting or conversing with people on various social media platforms and are only allowed to review and verify information passively. Although a lot of social media activity can be viewed and hence reviewed without an account,  certain platforms still keep within bounds the access for the guest users.

Referencing from the remarks made by Dave Maass, a senior investigative researcher for the civil liberties advocacy group Electronic Frontier Foundation, use of fictitious accounts "undermines our trust in social media companies and our ability to communicate and organize and stay in touch with people."

"It can't be this double standard where police can do it, but members of the general public can't." He added.

Older Lenovo users uninstall Solution Center soon

Owners of older Lenovo laptops need to uninstall the Lenovo Solution Center as soon as possible. 

Security researchers at Pen Test Partners found a critical vulnerability in the Lenovo Solution Center that could hand admin privileges over to hackers or malware.

According to Pen Test Partners, the flaw is a discretionary access control list (DACL) overwrite, which means a low-privileged user can sneak into a sensitive file by exploiting a high-privileged process. This is an example of a "privileged escalation" attack in which a bug can be used to gain access to resources that are normally only accessible to admins.

In this case, an attacker could write a pseudo-file (called a hard link file) that, when run by Lenovo Solution Center, would access sensitive files it otherwise shouldn't be allowed to reach. From there, damaging code could be executed on the system with administrator or system privileges, which is basically game over, as Pen Test Partners notes.

Lenovo Solution Center is a program that was preinstalled on Lenovo laptops from 2011 up until November 2018, which means millions of devices could be affected. Ironically, the program's purpose is to monitor the health and security of a Lenovo PC. While this flaw isn't such a big concern for individual users who can quickly protect their systems, larger companies who own a fleet of older ThinkPad laptops and use legacy software might be slow to react.

For its part, Lenovo published a security statement warning users about the bug and urging them to uninstall Solution Center, which the company no longer supports.

"A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018," reads the statement.

New Vulnerability in Bluetooth Connections Allows Hackers to Spy on Private Conversations


Bluetooth is used worldwide as one of the most convenient methods of connecting and controlling the devices in range. However, according to a recent report, a vulnerability labeled as the KNOB (Key Negotiation of Bluetooth) attack has been found in Bluetooth connections.

All the Bluetooth compliant devices can be affected by the vulnerability, which allows attackers to spy on a victim's personal conversations. Hackers can also exploit the vulnerability to manipulate the data present on the compromised device.

How the attack unfolds? 

While establishing a functional Bluetooth connection, both the devices rely upon an encryption key. Therefore,
in order to execute the attack, hackers exploit the vulnerability in the Bluetooth standard and weaken this encryption of Bluetooth devices instead of breaking it straightaway.

The attacker gets in the way while the devices are setting up the encryption key and resorts to brute force attack for breaking the new key with less number of digits and manipulates both the devices to employ the new encryption key.

The vulnerability affects devices by some of the renowned manufacturers namely, Apple, Qualcomm, and Intel. Companies like Apple, Microsoft, Cisco, Google, Blackberry, Broadcom and Chicony has already issued a patch to fix the flaw, as per the reports by Mashable.

The group of researchers from the Singapore University of Technology and Design, University of Oxford, and CISPA Helmholtz Center for Information Security, who found this critical vulnerability, explained, "We found and exploited a severe vulnerability in the Bluetooth specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker is able to listen, or change the content of, nearby Bluetooth communication, even between devices that have previously been successfully paired."

Student Uncovers Flaw in Education Software Exposing Data of Students



A high school senior in Lexington, Massachusetts discovered two vulnerabilities in software programs employed by his school which could have potentially affected the student data of around 5 million students.

Billi Demikarpi is a teen hacker who developed a penchant for hacking when he was in the freshman year and subsequently uncovered serious security flaws in two education programs, Aspen and Blackboard.

Reportedly, the probable consequences of these vulnerabilities would have been more disastrous than those San Diego Unified School District faced after the massive data breach that put to risk the data of more than 500,000 students along with the staff of the school.

The information that could have been exposed via the Aspen vulnerability includes details of bus routes, birthplaces, special education status, number of reduced or free lunches and suspensions.

It could have been exploited by the hacker to gain access to the data on the website after entering his own script as the Aspen website lacked the filters which other websites usually contain in order to reject hacker requests.

According to the statements given by both the companies, no one has exploited the security flaws besides Billi, who only accessed the information about himself and of a friend's whom he took consent from before doing so.

While sharing  his experience, Demirkapi said, “These companies say they're secure, that they do audits, but don't take the necessary steps to protect themselves from threats.”


Capital One Data Breach, Hacker gets Access to 100 Million Accounts


A massive data breach to Capital One servers compromised the personal details of an estimated 106 million bank customers and applicants across Canada and the US.

The suspected hacker, Paige Thompson, 33, has been arrested by FBI on Monday. She has shared details about the data breach on a GitHub page earlier in April, according to the criminal complaints.

Thompson broke into a Capital One server and illegally acquired access to customers' names, addresses, credit limit, contact numbers, balances, credit score, and other related data.

According to the documents, the 33-year-old, Seattle resident gained access to 80,000 bank account numbers, 1 million Canadian Social Insurance numbers, and 140,000 Social Security numbers.

Thompson who had previously worked with Amazon Web Services as a software engineer was able to access the data by exploiting a misconfigured web application firewall in company's infrastructure, as per a court filing.

Despite the magnitude of the breach, "no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised," the company told.

Expressing concern over the matter, Chairman Richard Fairbank, said, "While I am grateful that he perpetrator has been aught, I am deeply sorry for what has happened.

"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," he assured.

Meanwhile, the company is notifying the victims and aiding them with identity protection and free credit monitoring.



Equifax Paying Settlement around $700 Million after Massive Data Breach


Almost two years ago, Equifax suffered a massive data breach which exposed a significant amount of sensitive data of over 143 million Americans, the compromised information included that of driving licenses, social security numbers, and addresses of the victims. 

It has been uncovered by The Wall Street Journal and The New York Times that the consumer credit reporting agency is closing in on a settlement with FTC, state attorneys general, Consumer Financial Protection Bureau along with state and federal agencies. Equifax could settle up with $650 to $700 million, out of which it has put aside $690 million for the purpose of penalty. 

As per the media findings, the amount is expected to differ on the basis of the number of people filing claims and the details of the same will be released on Monday.

Notably, the settlement entails terms to devise a separate fund for the purpose of settlement, however, the amount victim's could expect in compensation is still a matter of question.

Commenting on the matter, Equifax CEO, Richard Smith, said, “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,” as he decided to retire in the wake of the cyberattack. 



WhatsApp, Telegram Data Stored on Phones is Vulnerable to Cyber Attacks



The data saved by users onto their devices through social messaging apps, Whatsapp and Telegram is vulnerable to cyber attacks and can be exploited by malware with access to external storage, as per the security researchers at Symantec.

End-to-end encryption prevents user data from being read or secretly modified, it led users into believing that their communication is highly secured and their conversations are protected against being accessed by third-party apps. However, the findings at Symantec have made users reconsider the whole idea of data protection via encryption.

The media exchanged on WhatsApp and Telegram gets stored in either of the two storages, external or internal. Now, if the data is stored in the victim's external storage and the malware enters his mobile device, it is configured to gain easy access to these saved files and exploit it subsequently. Moreover, the malware can acquire access to this data even prior to the users, according to The Verge.

After examining the issue, WhatsApp released statements telling that the corresponding updates are under progress with Android's ongoing development.

Referencing from the statements given by a WhatsApp spokesperson, “WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development,”

"WhatsApp follows guidelines from Android including: 'You should use external storage for user data that should be accessible to other apps and saved even if the user uninstalls your app, such as captured photos or downloaded files.' We store files in the same manner as other messaging apps (like Viber), email (like Gmail), and file storage apps (like Dropbox)," he added.

Commenting on the upcoming Android update, he informed, "The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared."

Amazon Sued Over Illegal Retention of Child Recordings Through Alexa



Amazon is being sued by a Massachusetts woman for unlawfully recording and storing the voices of children with its Alexa-enabled devices; the lawsuit filed in Seattle this week, claims that Amazon is contributing to a massive database by harnessing private details of millions of Americans via voice recordings.
Children, as a matter of fact, don’t fully understand the “potentially invasive uses of big data by a company the size of Amazon” and they “use Alexa without any understanding or warning that Amazon is recording and voice-printing them”, according to the lawsuit.
Criticizing Amazon’s methodologies, the two law firms, Quinn Emanuel Urquhart & Sullivan and Keller Lenkner alleged that the company decides to retain the actual voice recordings in spite of having an option to encrypt user voices. According to the complaint filed by these firms on behalf of an anonymous minor, Amazon stores the voices to examine it in the future and deploy the same for commercial profit.
Referencing from the Lawsuit, “It takes no great leap of imagination to be concerned that Amazon is developing voiceprints for millions of children that could allow the company (and potentially governments) to track a child’s use of Alexa-enabled devices in multiple locations and match those uses with a vast level of detail about the child’s life, ranging from private questions they have asked Alexa to the products they have used in their home,
The company is “allowing workers around the world to listen to the voice recordings and creating voiceprints of the users, which can be used to identify them when they speak to other devices in other locations,” the lawsuit reads.
Referenced from the statements given by a spokeswoman to BBC, “Amazon has a longstanding commitment to preserving the trust of our customers and their families, and we have strict measures and protocols in place to protect their security and privacy.”
Commenting on the matter during his conversation with Yahoo Finance,” Travis Lenkner, one of the plaintiffs’ attorneys, said,
“The legal theory is very straightforward. These kids themselves never consented, if they even could. No one such as a parent ever consented on their behalf,”
“Amazon purports to obtain consent to record individuals who set up an Alexa-enabled device,” the complaint states. “But there is a large group of individuals who do not consent to be recorded when using an Alexa-enabled device and who use Alexa without any understanding or warning that Amazon is recording and voice printing them: children.”
“Every recording that is made of a child, by Amazon through the Alexa software in one of these nine states is ... a per se violation of the privacy laws of those states and carries statutory penalties along with it,”
Delving further into the matter, Lenkar explains “It builds voiceprints of individual users”, “so if a child uses an Alexa device in California, and then uses another one in Washington, Amazon theoretically knows it’s the same person.” The device creates a unique identity for each person based on their voice.”
The fact that Amazon could potentially overwrite the voice recordings and yet chose not to, given that doing so would not hinder the performance of the assistant, further worsens the matter on which the company is expected to provide answers in greater detail very soon.