New Vulnerability in Bluetooth Connections Allows Hackers to Spy on Private Conversations


Bluetooth is used worldwide as one of the most convenient methods of connecting and controlling the devices in range. However, according to a recent report, a vulnerability labeled as the KNOB (Key Negotiation of Bluetooth) attack has been found in Bluetooth connections.

All the Bluetooth compliant devices can be affected by the vulnerability, which allows attackers to spy on a victim's personal conversations. Hackers can also exploit the vulnerability to manipulate the data present on the compromised device.

How the attack unfolds? 

While establishing a functional Bluetooth connection, both the devices rely upon an encryption key. Therefore,
in order to execute the attack, hackers exploit the vulnerability in the Bluetooth standard and weaken this encryption of Bluetooth devices instead of breaking it straightaway.

The attacker gets in the way while the devices are setting up the encryption key and resorts to brute force attack for breaking the new key with less number of digits and manipulates both the devices to employ the new encryption key.

The vulnerability affects devices by some of the renowned manufacturers namely, Apple, Qualcomm, and Intel. Companies like Apple, Microsoft, Cisco, Google, Blackberry, Broadcom and Chicony has already issued a patch to fix the flaw, as per the reports by Mashable.

The group of researchers from the Singapore University of Technology and Design, University of Oxford, and CISPA Helmholtz Center for Information Security, who found this critical vulnerability, explained, "We found and exploited a severe vulnerability in the Bluetooth specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker is able to listen, or change the content of, nearby Bluetooth communication, even between devices that have previously been successfully paired."


Student Uncovers Flaw in Education Software Exposing Data of Students



A high school senior in Lexington, Massachusetts discovered two vulnerabilities in software programs employed by his school which could have potentially affected the student data of around 5 million students.

Billi Demikarpi is a teen hacker who developed a penchant for hacking when he was in the freshman year and subsequently uncovered serious security flaws in two education programs, Aspen and Blackboard.

Reportedly, the probable consequences of these vulnerabilities would have been more disastrous than those San Diego Unified School District faced after the massive data breach that put to risk the data of more than 500,000 students along with the staff of the school.

The information that could have been exposed via the Aspen vulnerability includes details of bus routes, birthplaces, special education status, number of reduced or free lunches and suspensions.

It could have been exploited by the hacker to gain access to the data on the website after entering his own script as the Aspen website lacked the filters which other websites usually contain in order to reject hacker requests.

According to the statements given by both the companies, no one has exploited the security flaws besides Billi, who only accessed the information about himself and of a friend's whom he took consent from before doing so.

While sharing  his experience, Demirkapi said, “These companies say they're secure, that they do audits, but don't take the necessary steps to protect themselves from threats.”



Capital One Data Breach, Hacker gets Access to 100 Million Accounts


A massive data breach to Capital One servers compromised the personal details of an estimated 106 million bank customers and applicants across Canada and the US.

The suspected hacker, Paige Thompson, 33, has been arrested by FBI on Monday. She has shared details about the data breach on a GitHub page earlier in April, according to the criminal complaints.

Thompson broke into a Capital One server and illegally acquired access to customers' names, addresses, credit limit, contact numbers, balances, credit score, and other related data.

According to the documents, the 33-year-old, Seattle resident gained access to 80,000 bank account numbers, 1 million Canadian Social Insurance numbers, and 140,000 Social Security numbers.

Thompson who had previously worked with Amazon Web Services as a software engineer was able to access the data by exploiting a misconfigured web application firewall in company's infrastructure, as per a court filing.

Despite the magnitude of the breach, "no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised," the company told.

Expressing concern over the matter, Chairman Richard Fairbank, said, "While I am grateful that he perpetrator has been aught, I am deeply sorry for what has happened.

"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," he assured.

Meanwhile, the company is notifying the victims and aiding them with identity protection and free credit monitoring.




Equifax Paying Settlement around $700 Million after Massive Data Breach


Almost two years ago, Equifax suffered a massive data breach which exposed a significant amount of sensitive data of over 143 million Americans, the compromised information included that of driving licenses, social security numbers, and addresses of the victims. 

It has been uncovered by The Wall Street Journal and The New York Times that the consumer credit reporting agency is closing in on a settlement with FTC, state attorneys general, Consumer Financial Protection Bureau along with state and federal agencies. Equifax could settle up with $650 to $700 million, out of which it has put aside $690 million for the purpose of penalty. 

As per the media findings, the amount is expected to differ on the basis of the number of people filing claims and the details of the same will be released on Monday.

Notably, the settlement entails terms to devise a separate fund for the purpose of settlement, however, the amount victim's could expect in compensation is still a matter of question.

Commenting on the matter, Equifax CEO, Richard Smith, said, “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,” as he decided to retire in the wake of the cyberattack. 




WhatsApp, Telegram Data Stored on Phones is Vulnerable to Cyber Attacks



The data saved by users onto their devices through social messaging apps, Whatsapp and Telegram is vulnerable to cyber attacks and can be exploited by malware with access to external storage, as per the security researchers at Symantec.

End-to-end encryption prevents user data from being read or secretly modified, it led users into believing that their communication is highly secured and their conversations are protected against being accessed by third-party apps. However, the findings at Symantec have made users reconsider the whole idea of data protection via encryption.

The media exchanged on WhatsApp and Telegram gets stored in either of the two storages, external or internal. Now, if the data is stored in the victim's external storage and the malware enters his mobile device, it is configured to gain easy access to these saved files and exploit it subsequently. Moreover, the malware can acquire access to this data even prior to the users, according to The Verge.

After examining the issue, WhatsApp released statements telling that the corresponding updates are under progress with Android's ongoing development.

Referencing from the statements given by a WhatsApp spokesperson, “WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development,”

"WhatsApp follows guidelines from Android including: 'You should use external storage for user data that should be accessible to other apps and saved even if the user uninstalls your app, such as captured photos or downloaded files.' We store files in the same manner as other messaging apps (like Viber), email (like Gmail), and file storage apps (like Dropbox)," he added.

Commenting on the upcoming Android update, he informed, "The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared."


Amazon Sued Over Illegal Retention of Child Recordings Through Alexa



Amazon is being sued by a Massachusetts woman for unlawfully recording and storing the voices of children with its Alexa-enabled devices; the lawsuit filed in Seattle this week, claims that Amazon is contributing to a massive database by harnessing private details of millions of Americans via voice recordings.
Children, as a matter of fact, don’t fully understand the “potentially invasive uses of big data by a company the size of Amazon” and they “use Alexa without any understanding or warning that Amazon is recording and voice-printing them”, according to the lawsuit.
Criticizing Amazon’s methodologies, the two law firms, Quinn Emanuel Urquhart & Sullivan and Keller Lenkner alleged that the company decides to retain the actual voice recordings in spite of having an option to encrypt user voices. According to the complaint filed by these firms on behalf of an anonymous minor, Amazon stores the voices to examine it in the future and deploy the same for commercial profit.
Referencing from the Lawsuit, “It takes no great leap of imagination to be concerned that Amazon is developing voiceprints for millions of children that could allow the company (and potentially governments) to track a child’s use of Alexa-enabled devices in multiple locations and match those uses with a vast level of detail about the child’s life, ranging from private questions they have asked Alexa to the products they have used in their home,
The company is “allowing workers around the world to listen to the voice recordings and creating voiceprints of the users, which can be used to identify them when they speak to other devices in other locations,” the lawsuit reads.
Referenced from the statements given by a spokeswoman to BBC, “Amazon has a longstanding commitment to preserving the trust of our customers and their families, and we have strict measures and protocols in place to protect their security and privacy.”
Commenting on the matter during his conversation with Yahoo Finance,” Travis Lenkner, one of the plaintiffs’ attorneys, said,
“The legal theory is very straightforward. These kids themselves never consented, if they even could. No one such as a parent ever consented on their behalf,”
“Amazon purports to obtain consent to record individuals who set up an Alexa-enabled device,” the complaint states. “But there is a large group of individuals who do not consent to be recorded when using an Alexa-enabled device and who use Alexa without any understanding or warning that Amazon is recording and voice printing them: children.”
“Every recording that is made of a child, by Amazon through the Alexa software in one of these nine states is ... a per se violation of the privacy laws of those states and carries statutory penalties along with it,”
Delving further into the matter, Lenkar explains “It builds voiceprints of individual users”, “so if a child uses an Alexa device in California, and then uses another one in Washington, Amazon theoretically knows it’s the same person.” The device creates a unique identity for each person based on their voice.”
The fact that Amazon could potentially overwrite the voice recordings and yet chose not to, given that doing so would not hinder the performance of the assistant, further worsens the matter on which the company is expected to provide answers in greater detail very soon.





Facebook Now Cracking Down On Third-Party Apps in the Wake of the Cambridge Analytica Scandal




Almost a year after the Cambridge Analytica Scandal, last March, wherein the data of around 87 million users' was gathered and imparted to the Trump-affiliated campaign research firm without their assent Facebook is taking action against certain third-party applications that gulp up enormous amounts of user data in the wake of the Cambridge Analytica scandal.

Facebook said in a blog post that it will never again permit applications with 'minimal utility,' like personality quizzes, to operate on the platform.

Eddie O'Neil, head of platform at Facebook, said in the post, 'As part of our ongoing commitments to privacy and security, we are making updates to our platform...our Facebook Platform Policies are being updated to include provisions that apps with minimal utility, such as personality quizzes, may not be permitted on the platform.

'The update also clarifies that apps may not ask for data that doesn't enrich the in-app, user experience,' he added later.

Be that as it may, as The Verge called attention to the fact that the issue didn't exactly originate from quiz applications, but instead Facebook's lax policies around user data management and how developers had the capacity to collect data from "friends of friends".

It comes as Facebook on Wednesday revealed that it hopes to take on a one-time charge between $3 billion and $5 billion identified with a settlement with the Federal Trade Commission. As last March, the FTC opened an investigation concerning Facebook's data dealings after the Cambridge Analytica scandal first came into light.

While O'Neill stated, 'Going forward, we will periodically review, audit and remove permissions that your app has not sued, developers can submit for App Review to re-gain access to expired permissions.'

What's more, presently, Facebook expects to keep developer from getting to user information on the off chance that it identifies that a user hasn't opened the app in the previous 90 days.


Canadian Investigation Found Facebook to be Violating Privacy Laws



On Thursday, Canadian officials said that owing to its assailable security algorithms, Facebook exposed sensitive information of millions of its users. It has been counted as a critical failure on the company’s part which it did admit to letting happen but denied to fix.

Facebook has violated local as well as national laws when it gave access to private data of millions of its users to third parties, according to an investigation conducted by the information and privacy commissioner of British Columbia and the privacy commissioner for Canada.

The company CEO, Mark Zuckerberg put forth an apology for the major breach of trust that happened in the political scandal associated with Cambridge Analytica, however, they did not take into consideration the issued recommendations regarding the prevention of further exploitation of user data.

Putting the same into perspective, at a news conference, Daniel Therrien, head at federal privacy watchdog, said, “There’s a significant gap between what they say and what they do,”

As the regulators decided to push Facebook to a Canadian federal court which is likely to impose fines on the company, Mr. Therrien told that, “historically there have been very small penalties — in the tens of thousands of dollars.”

Facebook told the investigators that it does not agree with their findings, in response, Mr. Therrien said, “I find that absolutely untenable that a company can tell a regulator that it does not respect its findings.”

Furthermore, he asserted the need to have more authorities for the inspection of companies and even strict privacy laws in the North American country, Canada.

Reportedly, Facebook has denied audits of its privacy procedures and said that it has taken necessary measures against the problems raised by the investigators.

Referenced from the statements given by Facebook on the account, “there’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information.”

“After many months of good-faith cooperation and lengthy negotiations, we are disappointed” that regulators consider the issues raised in this report unresolved,” the company added.




Facebook 'unintentionally' uploaded the email addresses of 1.5 million users without their knowledge


On Wednesday, Facebook admitted that it happened to upload email addresses of 1.5 million users without their consent. However, the contacts were not distributed to anyone and the company said that all the users whose email addresses were uploaded will be sent a notification stating the same.

While the company is in the process of deleting the imported contacts, it said that it had no intentions of uploading these user contacts and will delete them soon.
In the recent years, Facebook fall prey to various security-related problems, including the major Cambridge Analytica political scandal which revealed that the personal data of millions of users has been harvested from their Facebook profiles by Cambridge Analytica to be used for political purposes; another major hit that the company took was a glitch which put to risk the passwords of millions of people.
Facebook has been battling public relation issues for the management of its users’ personal data which it shared with app developers who paid handsomely for advertisements and those who were friends with the company CEO, Mark Zuckerberg.
This month, sensitive documents dealing with internal deliberations over personal data of users were leaked. The documents, which comprised of presentations, emails, meeting summaries and spreadsheets, were shared by a British journalist to various media outlets, as per by NBC News.
Reportedly, the documents indicated deliberations over the selling of users’ data to third-party app developers and seemingly, Facebook decided against it. However, they opt to share the data with CEO Mark Zuckerberg’s friends who in-turn provided their valuable data or spend a huge amount of money on Facebook advertisements.  
A report indicated that Facebook finalized deals of sharing their user data with developers of Sony, Microsoft, Tinder, and Amazon, whereas access to the same information to others was restricted by Facebook.
Referencing from the statements given by Facebook VP and Deputy General Counsel Paul Grewald, 'The documents were selectively leaked as part of what the court found was evidence of a crime or fraud to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we've never sold people's data,
'The set of documents, by design, tells only one side of the story and omits important context,' he added.