Thursday, 18 April 2019

With No Permission, Facebook Slurped up ‘Hundreds of Millions’ of Email Contacts

Book Another Facebook Farce


This story only gets worse for Facebook: Two weeks ago, I told you about how Zuckerberg’s firm was demanding some users enter their email passwords. But now, further revelations make the situation look much, much worse.

It appears Facebook was actually copying those users’ entire contact lists—without permission. The company says it was “unintentional.” So that’s alright then.

How many more straws can fit on this camel’s back? In today’s SB Blogwatch, we’ve lost count of all the Facebook scandals.


Read more: securityboulevard.com/2019/04/with-no-permission-facebook-slurped-up-hundreds-of-millions-of-email-contacts

Wipro customers hacked, says Krebs. Nothing to see here, says Wipro.

Wipro PR go slow—oh no


IT outsourcing outfit Wipro is under fire this week. Sources say it got hacked months ago, and since then has been used as a jumping-off point to hack its customers. Possibly by a state actor.

If that weren’t bad enough, when Brian Krebs—the journalist who reported the hack—asked the Bengaluru firm about it, his questions were ignored. When Wipro PR finally made a buzzword-bingo statement, it was only sent to Indian media.

And then Wipro executives contradicted the statement. Said execs went on to publicly badmouth the reporter.

This is a terrible example of how to act on a breach report. In this week’s Security Blogwatch, we break out the popcorn.


Read more: techbeacon.com/security/wipro-customers-hacked-says-krebs-nothing-see-here-says-wipro

Tuesday, 16 April 2019

Microsoft Cloud Breach: Hackers Read Your Email for 90 Days

Face Meets Palm


Hackers have been able to read the email of Microsoft’s free cloud customers—no password required. Yes, you read that right.

Incredibly, the perps got away with it for almost three months, from early January to late March. It appears they stole a master “golden” support credential—presumably via social engineering.

But Microsoft “takes data protection very seriously.” So that’s OK then.

On the face of it, this is palm-worthy to the max. In today’s SB Blogwatch, we can’t believe what we read:


Read more: securityboulevard.com/2019/04/microsoft-cloud-breach-hackers-read-your-email-for-90-days

Friday, 12 April 2019

Trump Secret Service USB OpSec FAIL: ‘Spy’ Story Gets Weirder

Mar-a-Lackadaisical


That story about the Chinese woman accused of unauthorized entry to Trump’s Mar-a-Lago? It gained a weird new twist this week.

The Feds protecting the President supposedly found a USB stick and did the last thing you should ever do with an untrusted device—they stuck it into a PC. A Secret Service agent testified the PC then behaved in a “very out-of-the-ordinary” way. It’s still unclear what Yujing Zhang was attempting to do at President Trump’s private club in Florida.

On the face of it, this is really appalling operational security. But in today’s SB Blogwatch, we dig a little deeper.


Read more: securityboulevard.com/2019/04/trump-secret-service-usb-opsec-fail-spy-story-gets-weirder

Thursday, 11 April 2019

Fintech fiddles as home burns: 97% of apps lack basic security

Nero ignores conflagration


This is not fine. A white-hat researcher examined 30 financial apps, looking for information security issues—worryingly, all but one of them were insecure.

The failures were mind-numbingly familiar, and dead easy to find. It’s as if the industry has learned nothing and is walking around with a sign on its back, saying, “Rob me.”

Have we learned nothing? In this week’s Security Blogwatch, we’re full of despair.


Read more: techbeacon.com/security/fintech-fiddles-home-burns-97-apps-found-insecure

Tuesday, 9 April 2019

Does Microsoft Violate GDPR? European Regulator Asks Tough Questions

GDPR BadPR


EU privacy regulator investigates Microsoft. Audits contracts with EU bodies for compliance.

EDPS (the European Data Protection Supervisor) wants to ensure GDPR (the General Data Protection Regulation) is being adhered to by Microsoft and its customers inside the institutions of the EU itself, such as the Parliament and the Commission. This comes after serious allegations that Microsoft Office’s telemetry features fell afoul of GDPR.

This could get expensive for Redmond. In today’s SB Blogwatch, we search under the couch cushions, in case Satya needs a hand.


Read more: securityboulevard.com/2019/04/does-microsoft-violate-gdpr-european-regulator-asks-tough-questions

Monday, 8 April 2019

Stalkerware? Spouseware? Creepware? Just Call it Horrific

Trigger warning: domestic abuse; stalking


The Electronic Frontier Foundation
(EFF) is stepping up its fight against stalkerware. It’s asking for help from AV vendors, phone platform makers and law enforcement.

Also known as spouseware and creepware, this vile trade is responsible for enabling all manner of frightening and dangerous abuse, from stalking to serious sexual assault. It’s no laughing matter.

It’s time to put an end to it. In today’s SB Blogwatch, we’re truly horrified.


Read more: securityboulevard.com/2019/04/stalkerware-spouseware-creepware-just-call-it-horrific

Thursday, 4 April 2019

Exodus spyware exposes 'sorry' state of Android security

Android Angst; Government Gaffe


The sky is falling. At least, that’s what some conclude, after hearing about Exodus, a family of targeted malware discovered in the official Google Play app store.

By imitating legit apps, Exodus exfiltrates data from countless apps and Android services. It appears to be a lawful surveillance program that escaped from its tight, court-approved targeting of Italian suspects.

But Google says malware like this is vanishingly rare. In this week’s Security Blogwatch, we let my people go.


Read more: techbeacon.com/security/exodus-spyware-exposes-sorry-state-android-security

Wednesday, 3 April 2019

Facebook Forces Users to Give Email Password (wait, what?)


Here’s Facebook’s latest unbelievable scandal: The company has been demanding that some users enter their email passwords, so they can be “verified.”

That’s right, their email password. Facebook claims it’s all above board: It’s for security, y’see—people can totally trust us. But critics say it trains users to do dangerous things.

And Facebook is said to be harvesting the users’ contacts without permission. All this just a month after the company was caught red-handed misusing other security identifiers. Yikes.

Facebook also claims that users can instead verify their email an alternate way, but the UX for that seems to be a blackest-of-Vantablack “dark pattern.” In today’s SB Blogwatch, we can’t believe our eyes.


Read more: securityboulevard.com/2019/04/facebook-forces-users-to-give-email-password-wait-what

Tuesday, 2 April 2019

Office Depot and Support.com to Pay $35M for Fake Malware Scan ‘Scam’


Feds win technical victory against an alleged nine-year plan to fool customers. The Federal Trade Commission (FTC) claims Office Depot and Support.com deliberately lied to consumers, saying their PCs were infected with malware.

However, the scanning tool they used didn’t actually scan anything, according to the FTC. It merely asked a few questions, such as, “Does your PC frequently crash?” And if the customer answered “Yes” to any question, they’d be told the PC needed a $300 fix.

The companies settled out of court for $35 million, without admitting liability. In today’s SB Blogwatch, we feel fine.


Read more: securityboulevard.com/2019/04/office-depot-and-support-com-to-pay-35m-for-fake-malware-scan-scam

Thursday, 28 March 2019

Microsoft Hurts Charming Kitten (aka the APT35 Iran Hacking Group)


Microsoft has damaged a hacking group thought to be run by the Iranian military. APT35—also known as Charming Kitten, Ajax and Phosphorus—has now lost control of 99 internet domains it was using in spear-phishing attacks on journalists and activists.

Redmond’s finest had to ask a court to grant it control of the malicious Purr-sian domains, such as outlook-verify.net. Now it is able to prevent web users from being phished and can collect valuable intelligence on APT35’s naughty tactics.

Go back to sleep, tiny cat. In today’s SB Blogwatch, we destroy your furniture.


Read more: securityboulevard.com/2019/03/microsoft-hurts-charming-kitten-aka-the-apt35-iran-hacking-group

ASUS ShadowHammer backdoor: Was China to blame?



ASUS laptops infected by the “ShadowHammer” malware were targeted by the People’s Republic of China. At least, that’s the implication of a Kaspersky Labs’ researcher.

Mind you, Kaspersky is alleged to be rather close to a certain other state. So a pinch of salt might be indicated.

Whoever’s responsible, there are worrying implications for the future of state-sponsored cyber-ops. In this week’s Security Blogwatch, everything looks like a nail.


Read more: techbeacon.com/security/asus-shadowhammer-backdoor-was-china-blame

Tuesday, 26 March 2019

Apple Credit Card: Not So Secure, nor Private


Apple Card is here. It boasts anti-fraud security features and interesting privacy promises.

But is there much that’s new here? Probably not: People are saying it’s just a glossy sheen on top of existing technologies, and the privacy aspect ain’t all that.

What gives? In today’s SB Blogwatch, we wonder what all the fuss is about.


Read more: securityboulevard.com/2019/03/apple-credit-card-not-so-secure-nor-private

Friday, 22 March 2019

Implanted Medical Devices Can Be Hacked Wirelessly, Warns U.S. Gov’t


Implantable cardioverter defibrillators (ICDs) made by Medtronic are insecure, says the Department of Homeland Security’s CISA team. Exploitation is trivial, possible outcomes include the death of the patient.

And wouldn’t you know it, Medtronic knew about the problem for more than a year. Basically, wireless commands can completely reprogram the devices; there’s no authentication and no encryption.

“Are you serious?” you ask. In today’s SB Blogwatch, we’re as serious as a heart attack.


Read more: securityboulevard.com/2019/03/implanted-medical-devices-can-be-hacked-wirelessly-warns-u-s-govt

Thursday, 21 March 2019

Did Uber Use Spyware on Rival Taxi Firm? Yes (and No)


“Ride sharing” company stands accused of using spyware to damage a competitor’s business: An Australian taxi startup says Uber poached its drivers by spying on their movements.

Uber blames one rogue employee. But some commentators allege it’s not the first time the company’s used dirty tricks to boost its business. For example, there was that time Uber was banned from operating anywhere in London, England.

So what really happened here? In today’s SB Blogwatch, we make educated guesses.


Read more: securityboulevard.com/2019/03/did-uber-spyware-on-rival-taxi-firm-yes-and-no

The diagnosis for US electronic health records: Fatally flawed


EHR is badly broken. That’s the conclusion of a too-long report into electronic health records in the US.

It’s dangerous, buggy, expensive, over-complicated, and encourages fraud. And that’s even before we start to think of the likely security issues.

Stop. You’re killing me. In this week’s Security Blogwatch, we smell no evil.


Read more: techbeacon.com/security/diagnosis-us-electronic-health-records-fatally-flawed

Tuesday, 19 March 2019

Ransomware Fighter Lives in Fear for his Life



This hacker hacks the hackers. He reverse-engineers ransomware so that victims can decrypt their files without paying money to criminals.

But the polar bear-loving Fabian Wosar lives in hiding at an undisclosed location. It’s all thanks to the threats and abuse he receives from ransomware gangs, which he describes as “the Russian mob.”

Scary stuff. In today’s SB Blogwatch, we peek behind the curtain and marvel.


Read more: securityboulevard.com/2019/03/ransomware-fighter-lives-in-fear-for-his-life

Friday, 15 March 2019

Android Security is a Hot Mess (yet Again)



Google’s Android smartphone platform is under fire again. Hundreds of “legitimate” apps have been infected with malicious third-party libraries—and not for the first time. These apps account for more than 320 million downloads.

The so-called SimBad and Operation Sheep SDKs are malicious, according to researchers. They’re able to phish, steal data and pop up ads over other apps.

Google keeps talking a grand talk, but is it proactive enough about nuking malware in the Play Store? In today’s SB Blogwatch, we avoid an Android army ambush.


Read more: securityboulevard.com/2019/03/android-security-is-a-hot-mess-yet-again

Thursday, 14 March 2019

30 years into the web, Sir Tim vents on scams, hacks and hate


Sir Tim Berners-Lee has been painting a slightly depressing picture of the web’s problems. But his recent open letter also celebrates the web’s extraordinary achievements.

So happy birthday, World Wide Web. It was 30 years ago when Sir Tim formally proposed Mesh, or Mine, or what we now know as the web.

As he super-tweeted in the 2012 Olympic Games, this is for everyone. But not everyone is on board the TBL-fanboi bus. In this week’s Security Blogwatch, we spin sticky silk.


Read more: techbeacon.com/security/30-years-web-sir-tim-vents-scams-hacks-hate

Tuesday, 12 March 2019

Citrix Systems Breached ‘for 10 Years by Iran,’ Claims Unknown Infosec Firm


Citrix Systems’ networks were infested with hackers, who stole terabytes of data. So says a security service provider nobody’s heard of—and that seems to have popped out of nowhere.

It was Iran, alleges the dubitable company. And so the mainstream media rush to parrot the unfound finding. But where’s the evidence?

Neither Citrix nor the FBI are saying. In today’s SB Blogwatch, we feel like useful idiots.


Read more: securityboulevard.com/2019/03/citrix-systems-breached-for-10-years-by-iran-claims-unknown-infosec-firm

Friday, 8 March 2019

Chrome Zero-Day RCE: Exploit in the Wild – Patch Now


Google is warning Chrome users to update their browser installations immediately. Previous versions have a nasty security bug that allows remote code execution.

And it’s not theoretical: It turns out that this vulnerability was already being exploited before the patch was available. Google is being super-cagey about the exact nature of the flaw, but the company is being unusually insistent about how urgent this is.

So you know what to do and when to do it. In this week’s SB Blogwatch, we sit up and take notice.


Read more: securityboulevard.com/2019/03/chrome-zero-day-rce-exploit-in-the-wild-patch-now

Thursday, 7 March 2019

RSAC 2019: Better, wetter—and weirder


It’s that time again: Another RSA Conference in a rain-lashed San Francisco. This year’s theme is “Better.”

RSAC is the big infosec bunfight for hawkish vendors, arm-wavy consultants, and harassed PR mavens. Some think it’s the place to see and be seen, but others can’t wait for it to be over for yet another year.

And what caught your humble blogwatcher’s eye this year? In Security Blogwatch, we scour the Moscone Center so you don’t have to.


Read more: techbeacon.com/security/rsac-2019-better-wetter-weirder

Tuesday, 5 March 2019

Uproar Over Facebook 2FA Privacy Violation


Facebook has been caught red-handed again, so say privacy wonks. They accuse Zuckerberg’s crew of misusing phone numbers given to it for use in two-factor authentication.

Said wonks say Facebook is sharing the data with Instagram and WhatsApp to secretly link your profiles together. And that it lets miscreants look you up by your phone number, subjecting your identity to stalking, social engineering and other malicious awfulness. Facebook is also accused of violating GDPR, for using the numbers without consent.

Yet Facebook spokesdroids are unrepentant. In this inaugural SB Blogwatch, we phone a friend.


Read more: securityboulevard.com/2019/03/uproar-over-facebook-2fa-privacy-violation

Thursday, 28 February 2019

Google: 'Spectre can't be fixed.' Panic now?



Software alone can’t save us from Spectre-class vulnerabilities in modern CPUs. That’s the scary conclusion from a bone-dry research paper penned by Google engineers.

Be afraid. Be very afraid. Because there’s no evidence that CPU vendors are actually taking this thing seriously—even though they’ve known about it since June 2017 (perhaps even longer than that).

So all we have are code fixes that slow down our infrastructure without fixing the underlying problem. In this week’s Security Blogwatch, we run for the hills.


Read more: techbeacon.com/security/google-spectre-cant-be-fixed-panic-now

Friday, 15 February 2019

Richi dun editted anuvver bouk

via Kristina Podnar:

This book, out in March 2019, lets you unleash the power of digital policy. You can sign up now to be the first to hear about the release:

kpodnar.com/book

Thursday, 14 February 2019

Hackers love Docker: Container catastrophe in 3, 2, 1...


The day we all feared would come has come. Docker and Kubernetes #containers are revealed to be badly vulnerable—along with LXC, Mesos, and several other container flavors.

An easily exploited flaw means a container can escape its paper-thin walls and execute on the host system—as root. Time to audit your trust boundaries.

Happy Valentine’s Day, DevOps peeps. In this week’s Security Blogwatch, we drop everything and patch.


Read more: techbeacon.com/security/hackers-love-docker-container-catastrophe-3-2-1

Thursday, 7 February 2019

FaceTime FauxPas: Sorry-not-sorry about the bug bounty boo-boo


Apple says sorry for the privacy-busting FaceTime bug we talked about last week.

But there’s no apology yet to the kid and his mother who tried their best to report the “FacePalm” bug to Apple, yet kept facing brick wall after brick wall. Although there is the vague suggestion the trillion-dollar company might pay him some money.

In trying to fix its PR fail, has Apple made things worse? In this week’s Security Blogwatch at TechBeacon, Richi Jennings is sorry.


Read more: techbeacon.com/security/facetime-fauxpas-sorry-not-sorry-about-bug-bounty-boo-boo

Monday, 4 February 2019

Remember me?

Hey, it's Richi. … Richi? … Jennings? … Yeah, that guy.

Thanks to the business geniuses at Surpass Hosting for quadrupling my hosting fee, and to the fine folks at Alphabet who are killing Google+, I'm resurrecting my old blog as a web presence.

Apologies in advance for dust and broken links. I'll get to fixing things up as soon as I can.

A lot's happened since my last post in 2011. Maybe I'll tell you about it sometime…